Hi Luís Coelho ,
Thank you for reaching out on Microsoft Q&A!
First off: checking your JWT in the inbound policy is the correct way, as there is no other way to validate it. So this part is correct :-)
When it comes to validating a call from Adaptive Cards you have to keep in mind that this call is routed through a backbone network from Microsoft, with its own tokens. So you should not check your token, but the tokens that are used by the backbone.
The code snippet below shows you how you can achieve this:
<validate-jwt header-name="Authorization" failed-validation-error-message="You are not authorized to perform this call" require-scheme="Bearer">
<openid-config url="https://substrate.office.com/sts/common/.well-known/openid-configuration" />
<issuers>
<issuer>https://substrate.office.com/sts/</issuer>
</issuers>
</validate-jwt>
Please click “Accept answer” if you find this helpful. Feel free to drop additional queries in the comments below!
Kind regards,
Sonny