v1.1.2 - Identity Web sends x-ms-tokenboundauth header
Bug fix: the Microsoft Identity Web path (IDownstreamApi) was returning 401 from Key Vault because it didn't send the token-bound opt-in header. It now adds 'x-ms-tokenboundauth: true' via CustomizeHttpRequestMessage, matching the MSAL path. Option 3 should now return 200 on a supported VM.