Currently the istio authentication config allows all the tokens generated by any AAD app under a tenant.
Restricting the authentication to a specific app users as equivalent to what was being authenticated in the service earlier with clientID and appIdUri configs.
Adding the audiences check, "aud" field in the JWT token allows the specific AAD app users only to be allowed with authentication.