[Feature] MSI V2 : add mTLS PoP support with cache‑correct auth scheme

[gladjohn]

Summary

This pull request implements support for mTLS PoP (Mutual TLS Proof-of-Possession) tokens in the Managed Identity authentication flow. The main improvements include proper handling and persistence of binding certificates, ensuring cache lookups use the correct authentication scheme, and updating tests to validate mTLS PoP scenarios. These changes make sure that tokens are acquired and cached securely when mTLS PoP is requested, and that expired certificates are handled correctly.

Managed Identity mTLS PoP support and certificate handling:

• Added MtlsCertificate property to AcquireTokenForManagedIdentityParameters and ensured it is passed through the authentication flow for mTLS PoP requests. [1] [2]
• Implemented logic in ManagedIdentityAuthRequest to apply the MtlsPopAuthenticationOperation when a binding certificate is available, persist the certificate for future cache lookups, and bypass cache when no valid certificate is present. [1] [2] [3] [4]

Authentication scheme and request parameter enhancements:

• Added AuthenticationOperationOverride to AuthenticationRequestParameters, allowing per-request authentication scheme overrides, and updated the effective authentication scheme selection logic. [1] [2]

ManagedIdentityClient certificate persistence:

• Introduced MtlsBindingCertificate property in ManagedIdentityClient to persist and manage the lifecycle of the binding certificate, including safe disposal of old certificates.

Unit test improvements for mTLS PoP:

• Updated unit tests to assert presence of BindingCertificate in mTLS PoP scenarios and verify correct caching and token source behavior. [1] [2] [3] [4]

Minor logging and formatting fixes:

• Corrected string interpolation in logging for CSR metadata and probe failure exceptions. [1] [2]