I have a server-side Blazor app running on Azure AppService protected by AAD auth. Authorized AD users (admins) are able to access and use the app.
What I'm want to achieve is to allow other users to access only a specific page of the Blazor app. Users would access the app from WPF app, themselves not necessarily being AD users, but AD application user (daemon app). WPF app gets the token (v2.0) and opens the page in a browser with the Authorization header (bearer token), however Blazor doesn't not interpret the auth header in request and threats the user as unauthenticated. App registrations should have been setup properly as I'm able to access API when using this approach.
It this scenario possible? If so, any ideas what I could be doing wrong?
This scenario sounds like it is going quite a lot against general recommendations.
You really should not be doing "daemon app" authentication from a WPF app as it is not a confidential client application (and neither a daemon app). It runs on a user device, exposing the application's credential to any user. Authentication flows that use secrets should never be used from a user device.
Secondly, a Blazor application is not generally one that can accept requests from an application. Your WPF application should be calling an API, not a UI application.
What you should instead have is:
The Blazor app could be using this same API in its front-end code in a similar manner. But I don't think you are going to be able to put it in the middle of your client app and the API.