In your current architecture, the AKS cluster acts as the token issuer. Microsoft Entra ID uses OpenID Connect to discover public signing keys and verify the authenticity of the service account token before exchanging it for a Microsoft Entra token. Your workload can exchange a service account token projected to its volume for a Microsoft Entra token using the Azure Identity client library or the Microsoft Authentication Library (MSAL).
There are only 2 ways to request access token via OBO:
OR
Second case: Access token request with a certificate which requires client ID and client_assertion
My recommendation here would be to share this as a feature request on our feedback portal.
If you don't have any further queries and the suggestion above answers your ask, please "Accept the answer", This will help us and others in the community as well.
Thanks,
Akshay Kaushik