You confuse the purpose of ID token and access token.
What you should use here is access token.
You backend app is protected web API in this scene.
As adp suggested, you need to follow the specific information:
Your app registration must expose at least one scope or one
application role. Scopes are exposed by web APIs that are called on
behalf of a user.
Application roles are exposed by web APIs called by daemon
applications (that calls your web API on their own behalf).
If you create a new web API app registration, choose the access token
version accepted by your web API to 2. For legacy web APIs, the
accepted token version can be null, but this value restricts the
sign-in audience to organizations only, and personal Microsoft
accounts (MSA) won't be supported.
The code configuration for the web API must validate the token used
when the web API is called.
The code in the controller actions must validate the roles or scopes
in the token.
There is a sample in Github.
To protect your API with Azure AD, you need to register two Azure AD apps, one is for client app (front) and the other is for API app (backend).
In the API app, you need to expose API. By doing step 7 and step 8, you can expose the scope.
Then you need to configure the client app. With step 8 here, you can add the permission (scope) which is exposed by API app to the client app.
Use MSAL to request the access token, which includes this permission (scope). You can verify it in your code. If the permission is what you expected, the client is allowed to access your API.
