Workload Identity can't support for MI+FIC scenario

Describe the bug I am referring to the sample code for MI+ FIC approach to access from tenant A to azure resource in another tenant B.

When working with aad-pod-identity, the sample code works correctly to get the expected access token.

Then, I followed the workload identity migration guide today (June,3rd, 2024) https://learn.microsoft.com/en-us/azure/aks/workload-identity-migrate-from-pod-identity with image version: workload-identity/webhook:v1.2.2.

Running the same application, I got failure:

AADSTS700231: Token obtained using another federated identity credential may not be used as federated identity credential. Trace ID: 279fd918-de75-4e03-8e06-fc81c2f53701 Correlation ID: 2fdf12ed-40b7-471d-8b97-07f272e9b43a Timestamp: 2024-06-03 06:04:06Z
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)
   at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponse[T](HttpResponse response, RequestContext requestContext)

Steps To Reproduce See above description

Expected behavior I understand the behavior that the double hop is not supported, but this behavior made the workable application running successfully on aad-pod-identity can't work anymore with workload identity.
It is a bigger risk for the end-user.

Also, MI-FIC is recommended approach from security perspective. How to explain it can't work on AKS anymore when workload identity is enabled?

Logs

Environment

Kubernetes version (use kubectl version):
Cloud provider or hardware configuration:
OS (e.g: cat /etc/os-release):
Kernel (e.g. uname -a):
Install tools:
Network plugin and version (if this is a network-related bug):
Others:

Additional context

Azure / azure-workload-identity

Workload Identity can't support for MI+FIC scenario #1363