Taking Jenny's feedback into account

2. Web API now calls Microsoft Graph/TodoListService/Controllers/TodoListController.cs

@@ -1,6 +1,9 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
+// The same code for the controller is used in both chapters of the tutorial. 
+// In the first chapter this is just a protected API (ENABLE_OBO is not set)
+// In this chapter, the Web API calls a downstream API on behalf of the user (OBO)
 #define ENABLE_OBO
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;

Microsoft.Identity.Web/Client/TokenAcquisition.cs

@@ -442,7 +442,7 @@ public void ReplyForbiddenWithWwwAuthenticateHeader(HttpContext httpContext, IEn
             string proposedAction = "consent";
             if (msalServiceException.ErrorCode == MsalError.InvalidGrantError)
             {
-                if (AcceptedTokenVersionIsNotTheSameAsTokenVersion(msalServiceException))
+                if (AcceptedTokenVersionMismatch(msalServiceException))
                 {
                     throw msalServiceException;
                 }
@@ -473,7 +473,7 @@ public void ReplyForbiddenWithWwwAuthenticateHeader(HttpContext httpContext, IEn
             headers.Add(HeaderNames.WWWAuthenticate, v);
         }
 
-        private static bool AcceptedTokenVersionIsNotTheSameAsTokenVersion(MsalUiRequiredException msalSeviceException)
+        private static bool AcceptedTokenVersionMismatch(MsalUiRequiredException msalSeviceException)
         {
             // Normally app developers should not make decisions based on the internal AAD code
             // however until the STS sends sub-error codes for this error, this is the only