Adventures in Azure API Management: Pay Attention to Order in Policies

Policy1.xml

<policies>
    <inbound>
        <base />
        <authentication-managed-identity resource="https://MY_WEB_APP.azurewebsites.net" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

Policy2.xml

<policies>
    <inbound>
        <base />
        <authentication-managed-identity resource="https://MY_WEB_APP.azurewebsites.net" />        
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
            <openid-config url="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" />
            <required-claims>
                <claim name="aud">
                    <value>API_APP_REGISTRATION_APP_CLIENT_ID</value>
                </claim>
            </required-claims>
        </validate-jwt>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

Policy3.xml

<policies>
    <inbound>
        <base />
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
            <openid-config url="https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration" />
            <required-claims>
                <claim name="aud">
                    <value>d5070be4-48dc-4618-beb4-853df62818dc</value>
                </claim>
            </required-claims>
        </validate-jwt>
        <authentication-managed-identity resource="https://MY_WEB_APP.azurewebsites.net" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>