When authenticating using Entra, rather than using Office.auth.getAccessTokenAsync use createNestablePublicClientApplication from the MSAL library

import { createNestablePublicClientApplication} from "@azure/msal-browser";
…
Register an app in Entra Id and use

  var pca = await createNestablePublicClientApplication({
      auth: {
        clientId: "00000000-0000-0000-0000-00000000", //APPID
        authority: "https://login.microsoftonline.com/00000000-0000-0000-0000-00000000" //TENANTID
      },
    });
    const tokenRequest = {
      scopes: [                
        "Mail.Read",
        ...
        ],
    };
      
    const userAccount = await pca.acquireTokenSilent(tokenRequest);

        var restId = Office.context.mailbox.convertToRestId(Office.context.mailbox.item.itemId, Office.MailboxEnums.RestVersion.v2_0);

    var mailContent = await fetch(
      "https://graph.microsoft.com/v1.0/me/messages/" + restId + "/$value", {
        method: "GET",
        headers: {
          "content-type": "application/json",
          "Authorization": ("Bearer " + userAccount.accessToken)
        }});

Enable single sign-on in an Office Add-in with nested app authentication - Office Add-ins | Microsoft Learn