What's the benefit of having a second Azure AD app (client app) that can be used to request an access token on behalf of the user in this article? I'm not sure I understand the goal here.

If the goal is to secure an Azure Function with an Authentication AND Authorization layer with RBAC, wouldn't we just create a single Azure AD app and restrict access to a set of users/apps by requiring them to have at least one role assigned to them? Authorization then happens on the Azure Function Code level.

For example, users can request an access token using the Azure CLI client if we add the client id of the azure cli to the list of "authorized client applications".