scenarios
The Microsoft .NET authentication libraries support scenarios involving Protecting a Web App or API 
and Acquiring security tokens for a protected Web API 
. Microsoft.IdentityModel.x extensions is only about the former.
For the later see MSAL.NET scenarios
To protected a Web App (signing in the user) you'll use ASP.NET or ASP.NET Core with the ASP.NET Open ID Connect middleware. Under the hood. This involves validating the token which is done by the IdentityModel extensions for .NET library
If you are interested in then calling an API in the name of the signed-in user see MSAL.NET's scenario Web Application signing in a user and calling a Web API in the name of the user
If you want your ASP.NET or ASP.NET Core protected Web API to call another Web API on behalf of the user represented by the access token was used to call you API, you will need to:
- validate the token. For this you'll use the ASP.NET JWT middleware. Under the hood. This also involves validating the token which is done by the IdentityModel extensions for .NET library, not MSAL.NET
- then you will need to acquire a token for the downstream Web API by using the MSAL.NET's ConfidentialClientApplication's. For more detail see MSAL.NET scenario: Web API calling another downstream Web API in the name of the user for whom it was called
The two previous scenarios are about validating a security token. In some cases, you will also want to create yourself a security token. That will for example be the case if you want to create a signed client assertion. For more details about client assertions see Client assertion in ADAL.NET