Hi @scoll
From your question I understood that you are using client_credentials flow to authenticate the service principal (application/client) and want to pass service principal's Group Membership as claim in the bearer token. Based on which your application can perform authorization decision that whether to provide read access to CDN resources or not. Please correct me if my understanding is not right.
I am answering below questions based on the above understanding:
1) Can I do this? YES
2) Is there a doc that explains how? : Configure the Azure AD Application Registration for group attributes
3) Will this track downloads by client? : You can check the Activity Logs for this purpose.
In short, to get Group Claim, you need to set "groupMembershipClaims": "All" in the Manifest of the client application that you used to obtain the token.
Note : There is a limit of 150 groups for a SAML token, and 200 for a JSON Web Token (JWT).
Please do "Accept the answer" if you find the information helpful. This will help us and others in the community as well.