[Bug] ConfidentialClientApplication.acquire_token_on_behalf_of()` returns error that 'iss' field is missing when it is present in JWT

[cedro-gasque]

Describe the bug
ConfidentialClientApplication.acquire_token_on_behalf_of() returns error AADSTS90014: The required field 'iss' is missing from the credential. However, when the credential is decoded, using jwt.io for example, it has an 'iss' field. This only happens on Azure, so the failure may not be an MSAL error specifically, but the error code is definitely incorrect. Running it locally using Microsoft Azure's respective CLIs for SWA and Function Apps, it does not error at all.

To Reproduce
Steps to reproduce the behavior:
(There is no sample for OBO authentication flow, but I made an example for a stack-overflow post that I now realize is better suited as a potential bug report)
https://github.com/cedro-gasque/stackoverflow-mre/

I have a SPA front-end and python function app back-end. I had originally been using managed functions via Azure Static Web Apps, but I was running into a lot of errors and ended up switching to a bring-your-own-functions setup. The front-end uses msal-browser's PublicClientApplication, creating an auth token and calling the backend API with it. The API then uses msal-python's ConfidentialClientApplication to do an OBO auth flow. however, msal_app.acquire_token_on_behalf_of returns with the error in the title: AADSTS90014: The required field 'iss' is missing from the credential. I did have to generate a new certificate and key since the last time this authentication path was working (which i only know of to be when it was still managed), and this new certificate is in the Entra ID App Registration. It does not give me an error when creating the ConfidentialClientApplication as if the credentials are malformed.

On Azure, I have an app registration in Microsoft Entra ID. To that, I uploaded server.crt, obtained by following the instructions from this Microsoft page.

The other parts (thumbprint, private key) are set as environment variables on the function app.

Expected behavior
I expect the error to either be accurate to the JSON Web Token's contents, or for the authorization flow to just succeed.

The MSAL Python version you are using
python msal version 1.33.0, but the token is initially generated using the js library @azure/msal-browser = 4.21.1

Additional context
If required I can dump code from the repository but I assume this is a much less strict environment than SO.