In my case this was an issue with scopes and what I was requesting from my application. What fixed this exact error for me: In my scenario I was requesting the .default scope of a 3rd party API which I had registered in Azure Portal. I was using MSAL for .net wpf and requesting .default scope but got this error. To fix, I needed to define at least one scope in both API Permissions and Expose API sections of the app registration. Once I defined any scope (called "test" for example). I was issued the JWT I was expecting and .default was expanded to "test" in the resulting token.

More reading here: https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#the-default-scope