使用证书身份验证调用 Azure 资源速率 API 时获取 403

我正在尝试创建一个可以使用证书身份验证调用 Azure 资源速率 API 的控制台应用。为此，我使用了以下分支 GitHub 链接。

我收到 403 错误。我已将 Web 应用添加到我的 Azure AD。在清单中，我已使用以下 PowerShell 命令从已签名的证书中复制了密钥凭据;

$cert=New-SelfSignedCertificate -Subject "CN=RateCardCert"
-CertStoreLocation "Cert:CurrentUserMy"  -KeyExportPolicy Exportable -KeySpec Signature  
$bin = $cert.RawData $base64Value = [System.Convert]::ToBase64String($bin)
$bin = $cert.GetCertHash() 
$base64Thumbprint = [System.Convert]::ToBase64String($bin) 
$keyid = [System.Guid]::NewGuid().ToString() 
$jsonObj = @ customKeyIdentifier=$base64Thumbprint;keyId=$keyid;type="AsymmetricX509Cert";usage="Verify";value=$base64Value} 
$keyCredentials=ConvertTo-Json @($jsonObj) | Out-File "keyCredentials.txt"

在 de 控制台应用程序中，我使用以下函数来获取令牌;

public static string GetOAuthTokenFromAAD_ByCertificate(string TenanatID, string ClientID, string CertificateName)
    {
        //Creating the Authentication Context
        var authContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}", TenanatID));
        //Console.WriteLine("new authContext made");
        //Creating the certificate object. This will be used to authenticate
        X509Certificate2 cert = null;
        //Console.WriteLine("empty 'cert' made, null");
        //The Certificate should be already installed in personal store of the current user under 
        //the context of which the application is running.
        X509Store store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

        try
        {
            //Trying to open and fetch the certificate
            store.Open(OpenFlags.ReadOnly);
            var certCollection = store.Certificates;
            var certs = certCollection.Find(X509FindType.FindBySubjectName, CertificateName, false);
            //Checking if certificate found
            if (certs == null || certs.Count <= 0)
            {
                //Throwing error if certificate not found
                throw new Exception("Certificate " + CertificateName + " not found.");
            }
            cert = certs[0];
        }
        finally
        {
            //Closing the certificate store
            store.Close();
        }
        //Creating Client Assertion Certificate object
        var certCred = new ClientAssertionCertificate(ClientID, cert);
        //Fetching the actual token for authentication of every request from Azure using the certificate
        var token = authContext.AcquireToken("https://management.core.windows.net/", certCred);
        //Optional steps if you need more than just a token from Azure AD
        //var creds = new TokenCloudCredentials(subscriptionId, token.AccessToken);
        //var client = new ResourceManagementClient(creds); 
        //Returning the token
        return token.AccessToken;
    }

这是生成 URL 并放入请求的代码部分(xxxx 部分替换为我在 Azure AD 中注册的 Web 应用的客户端 ID(;

//Get the AAD User token to get authorized to make the call to the Usage API
        string token = GetOAuthTokenFromAAD_ByCertificate("<MyTenantName.onmicrosoft.com", "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "RateCardCert");

            // Build up the HttpWebRequest
        string requestURL = String.Format("{0}/{1}/{2}/{3}",
                   ConfigurationManager.AppSettings["ARMBillingServiceURL"],
                   "subscriptions",
                   ConfigurationManager.AppSettings["SubscriptionID"],
                   "providers/Microsoft.Commerce/RateCard?api-version=2015-06-01-preview&$filter=OfferDurableId eq 'MS-AZR-0044P' and Currency eq 'EUR' and Locale eq 'nl-NL' and RegionInfo eq 'NL'");
        HttpWebRequest request = (HttpWebRequest)WebRequest.Create(requestURL);
        // Add the OAuth Authorization header, and Content Type header
        request.Headers.Add(HttpRequestHeader.Authorization, "Bearer " + token);
        request.ContentType = "application/json";
        // Call the RateCard API, dump the output to the console window
        try
        {
            // Call the REST endpoint
            Console.WriteLine("Calling RateCard service...");
            HttpWebResponse response = (HttpWebResponse)request.GetResponse();
            Console.WriteLine(String.Format("RateCard service response status: {0}", response.StatusDescription));
            Stream receiveStream = response.GetResponseStream();
            // Pipes the stream to a higher level stream reader with the required encoding format. 
            StreamReader readStream = new StreamReader(receiveStream, Encoding.UTF8);
            var rateCardResponse = readStream.ReadToEnd();
            Console.WriteLine("RateCard stream received.  Press ENTER to continue with raw output.");
            Console.ReadLine();
            Console.WriteLine(rateCardResponse);
            Console.WriteLine("Raw output complete.  Press ENTER to continue with JSON output.");
            Console.ReadLine();
            // Convert the Stream to a strongly typed RateCardPayload object.  
            // You can also walk through this object to manipulate the individuals member objects. 
            RateCardPayload payload = JsonConvert.DeserializeObject<RateCardPayload>(rateCardResponse);
            Console.WriteLine(rateCardResponse.ToString());
            response.Close();
            readStream.Close();
            Console.WriteLine("JSON output complete.  Press ENTER to close.");
            Console.ReadLine();
        }
        catch(Exception e)
        {
            Console.WriteLine(String.Format("{0} nn{1}", e.Message, e.InnerException != null ? e.InnerException.Message : ""));
            Console.ReadLine();
        }

只是不知道我必须做什么了，我在这里错过了什么？？

控制台的完全返回为：

电话费率卡服务... 远程服务器返回错误：(403( 禁止访问。