I think these are 2 conflicting ways of handling authentication and is causing the issue. Either use JWT authentication or use easy authentication with AAD. App service does not send you the JWT token that your API requires so even if you do authenticate via easy auth, its still unauthorized because there is no JWT token in you header forwarded from app service. If you still want to have 2 levels of authentication then you have to inspect the header for the principal details (ms-client-principal) that's forwarded by your app service. So to summarize :

Option 1

Remove your JWT auth on your API level and use easy authentication with ADD to handle everything for you.

Option 2 (I don't recommend this)

Keeping your double authentication layers and instead of using JWT tokenization you inspect the header forwarded by app service for claim details