I believe the CD API-packages are totally unaware of your Azure AD even if you have it hooked up for regular authentication.
You need to validate the token your self if you want to use Bearer token auth... Something like in my blog post here: https://krompaco.nu/2018/12/content-delivery-api-and-custom-authorization/
You should also remove the OAuth-package for CD API if you have those installed.
You can also ignore those headers and instead just use the cookie security in place for the current user which I think is the way the article you refer to is meant to work.
Thank you Johan. Your suggestion, slightly modified, was exactly what I needed.
I'm in the middle of a project to convert our CMS site to use OIDC/OAUTH for authentication/authorization. So far authentication to the CMS as a user works as expected but I'm running into trouble when I try to secure the Content Delivery API.
I've setup our Azure AD App to include a "ContentApiRead" role claim (type=application) for client_credentials grant type. I've added a "ContentApiRead" role (mapped role) in the virtual roles section of the web config. I also overridden the "GetAllRoles" method as suggested here: Content Delivery API and Azure AD | Episerver Developer Community
Finally, I've granted access to "ContentApiRead" to the root of our site.
I can successfully call the api if I disable the minimum role requirement (SetMinimumRoles(string.Empty)) in the ContentDeliveryApiInitialization module but if I use the default config or specify the minmum role as "ContentApiRead" I get a 401 Unauthorized response; I'm passing the access token in the header prefixed with "Bearer". I get this if I make the call from Postman or a C# console app.
I'm probably missing something really simple but I've spent hours trying to figure it out and can't get it to work. Help would be greatly appreciated.
UPDATE - 12/18/2020
It turns out that Azure AD is not returning the "ContentApiRead" role in the token. After inspecting the token, the only role getting returned is:
web.config (virtualRoles section): <add name="Directory.Read.All" type="EPiServer.Security.MappedRole, EPiServer.Framework" roles="Directory.Read.All" mode="Any" />