"Web API calls MS Graph" add example called via web application/client based like Blazor or MVC .NET 6

[tdceus]

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [x] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

I tried to use the example Web API now calls Microsoft Graph example, but now it will be called via a web application like MVC or Blazor in .NET 6. As soon as the WebApi calls the MSGraph via the WebApp, a MsalUiRequiredException is thrown.
The InnerException is of type MicrosoftIdentityWebChallengeUserException. I would like to see an example which follows the OBO flow but then called via a .NET 6 web application. Thus via WebApp -> WebApi -> MS Graph.

The WebApi replies now with following code during handling the exception:
_tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(_graphOptions.Value.Scopes.Split(' '), challengeException.MsalUiRequiredException);

How can I handle MsalUiRequiredException or Forbidden response in the web application passed by the web API?

I think my configuration in Azure AD is correct, as the native client (XAML) application works.

Can you give me some pointers, to solve my problem?

Any log messages given by the failure

The following exception message is shown in the debugger for the WebApi: IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent.

Expected/desired behavior

Use this example with the On-Behalf-Of flow as well called via a web application like MVC and/or Blazor created in .NET 6.

OS and Version?

Windows 10

Versions

Windows 10 20H2; .NET 6 (6.0.2); Microsoft.Identity.Web 1.23.0

Mention any other details that might be useful

I know there is an example active-directory-aspnetcore-webapp-openidconnect-v2/4-WebApp-your-API, but the WebAPI doesn't call MS Graph.