fix(auth): accept both v1 (api://guid) and v2 (guid) audiences

Default app registrations have requestedAccessTokenVersion=null, which
means Entra issues v1 access tokens with aud='api://<clientId>'. EasyAuth
was configured with allowedAudiences=['<clientId>'] (bare GUID only), so
every Web->API call failed audience validation and returned 401.

Include both forms so the script works regardless of the app reg's
accessTokenAcceptedVersion setting.

Author: DonLee

infra/scripts/configure_auth.ps1

@@ -254,7 +254,7 @@ function Patch-AuthConfig($CaName, $ClientId, $AddWebAllowed) {
   if (-not $aad.registration) { $aad | Add-Member -MemberType NoteProperty -Name registration -Value (@{}) }
   $aad.registration.openIdIssuer = "https://login.microsoftonline.com/$TenantId/v2.0"
   if (-not $aad.validation) { $aad | Add-Member -MemberType NoteProperty -Name validation -Value (@{}) }
-  $aad.validation.allowedAudiences = @($ClientId)
+  $aad.validation.allowedAudiences = @($ClientId, "api://$ClientId")
   if (-not $aad.validation.defaultAuthorizationPolicy) { $aad.validation | Add-Member -MemberType NoteProperty -Name defaultAuthorizationPolicy -Value (@{}) }
   $policy = $aad.validation.defaultAuthorizationPolicy
   $allowed = @()

infra/scripts/configure_auth.sh

@@ -342,7 +342,7 @@ aad = idp.setdefault('azureActiveDirectory', {})
 reg = aad.setdefault('registration', {})
 reg['openIdIssuer'] = f\"https://login.microsoftonline.com/{os.environ['TENANT_ID']}/v2.0\"
 val = aad.setdefault('validation', {})
-val['allowedAudiences'] = [os.environ['CLIENT_ID']]
+val['allowedAudiences'] = [os.environ['CLIENT_ID'], 'api://' + os.environ['CLIENT_ID']]
 policy = val.setdefault('defaultAuthorizationPolicy', {})
 allowed = set(policy.get('allowedApplications') or [])
 if os.environ['ADD_WEB'] == 'true':