I am using an x509 certificate to login to Azure AD with a Root certificate. It is returning the JWT correctly and I am using that to access APIM and background server.
