As at February 2025, Azure / Entra ID has a preview feature to allow for expression matching against subject claims: https://docs.azure.cn/en-us/entra/workload-id/workload-identities-flexible-federated-identity-credentials?tabs=github

They're calling it Flexible Federated Identity Credentials (for now?)

For now only GitHub, GitLab, and Terraform Cloud issued tokens are supported.

Frustrating for myself, it does not work for GitHub enterprise issuer