The root cause is that Microsoft.Identity.Web does not fall back to DefaultAzureCredential like manual calls do. Instead, it strictly requires the Azure Workload Identity setup to be fully correct

The AKS pod must be annotated with the correct client ID of the user-assigned managed identity.

Suppose your user-assigned managed identity Client ID is: <MANAGED_IDENTITY_CLIENT_ID> replace this. Ex:

kubectl annotate serviceaccount <SERVICE_ACCOUNT_NAME> \
  -n <NAMESPACE> \
  azure.workload.identity/client-id=<MANAGED_IDENTITY_CLIENT_ID>

The Azure AD App Registration must have a properly configured Federated Identity Credential that matches the pod's Kubernetes service account (system:serviceaccount:<namespace>:<serviceaccount>). create the Federated Identity Credential:

Ex:

az identity federated-credential create \
  --name workload-identity-federated-cred \
  --identity-name <MANAGED_IDENTITY_NAME> \
  --resource-group <RESOURCE_GROUP> \
  --issuer "https://kubernetes.default.svc.cluster.local" \
  --subject "system:serviceaccount:<NAMESPACE>:<SERVICE_ACCOUNT_NAME>" \
  --audiences api://AzureADTokenExchange

The Azure Workload Identity webhook must be running in the AKS cluster to inject the identity token file into the pod. Check if the webhook is installed in your AKS cluster:

kubectl get pods -n azure-workload-identity-system

pods like azure-wi-webhook-xxxxxx are running.

Check if Token File is Injected in Pod:

kubectl exec <POD_NAME> -n <NAMESPACE> -- ls /var/run/secrets/azure/tokens/

You should see azure-identity-token

Your manual DefaultAzureCredential call works because it uses multiple sources like the IMDS endpoint, but Microsoft.Identity.Web only reads from the expected federated token file which may be missing or improperly configured resulting in IDW10109.

Reference: https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=dotnet

Please let me know if you have any doubts, I will be glad to help you out.