While the OOP principles above from @8protons are sound, the lifetime of ConfidentialClientApplication is not.

Adding the ConfidentialClientApplication as a Singleton is only recommended for scenarios where your API uses Client Credential Flow to call another external API.

For other scenarios the lifetime of the ConfidentialClientApplication should be per session (if you have no user session, then read this as per-request).

Check out this discussion on the topic for details and explanations of WHY.