Add POC: Security and OAuth 2.0 Configuration

[MarvelintheCloud]

This POC documents the end-to-end OAuth 2.0 trust chain for SimpleL7Proxy across three tiers: client → ACA → APIM.

What it covers:

1. Three app registrations: APIM protected API, ACA protected API, and client caller app—each with distinct audiences to prevent token confusion.
2. App role assignments via Microsoft Graph PowerShell, including the workaround for assigning roles to managed identities when the portal UI options cannot target them.
3. Token audience mapping: client → ACA token uses api://<ACA_APP_ID>; ACA → APIM uses api://<APIM_APP_ID>/.default via managed identity.
4. APIM JWT validation: validate-jwt policy checks APIM audience and roles=API.Caller claim, not ACA audience.
5. Full flow diagram and worked example with concrete values.
6. Verification checklist confirming each hop is correctly configured.

Why this POC:

1. Aligns with the repo's workload-to-workload OAuth pattern (ca2apimSetup.sh, console2caSetup.sh, enableContainerAppAuth.sh).
2. Documents the "each hop gets its own token audience" rule, a common source of confusion in multi-hop auth chains.
3. Provides exact PowerShell commands for app role assignment when portal UI is insufficient.

Related to:
README.md
readme.md