Entra OpenID - Client can't connect to API using the same authority and client

I am following the information from this youtube video by Nick Chapsas.

I have the following set up as described:

API

builder.Services.AddAuthentication(a =>{    a.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;    a.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;    a.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;}).AddJwtBearer(b =>{    b.TokenValidationParameters = new TokenValidationParameters    {        ValidIssuer = builder.Configuration["JwtSettings:Issuer"],        ValidAudience = builder.Configuration["JwtSettings:Audience"],        IssuerSigningKey = new SymmetricSecurityKey(            Encoding.UTF8.GetBytes(builder.Configuration["JwtSettings:Key"]!)),        ValidateIssuer = true,        ValidateAudience = true,        ValidateLifetime = true,        ValidateIssuerSigningKey = true    };});

With appsettings.json:

"JwtSettings": {"Issuer": "https://login.microsoftonline.com/089e76d9-be81-46e6-9249-325211a2cc67/v2.0","Audience": "5e7c53f0-527f-440c-8be2-34dccc1513ef","Key": "myRegisteredApplicationSecret"}

Where 089e76d9-be81-46e6-9249-325211a2cc67 is the (fake) tenantid.

and 5e7c53f0-527f-440c-8be2-34dccc1513ef is the (fake) clientid of the registered application on EntraID.

Client

For now I am using Postman to try and get authentication running. As mentioned by Nick I call my endpoint:

https://localhost:7049/WeatherForecast

And set header to:

I hid everything after ey but it's the full JWT token that I received from my Front End colleague.

That token was requested upon sign in against the same Issuer. It's defined like this on the Blazor WASM app:

{"AzureAd": {"ClientId": "5e7c53f0-527f-440c-8be2-34dccc1513ef","Authority": "https://login.microsoftonline.com/089e76d9-be81-46e6-9249-325211a2cc67/v2.0","ValidateAuthority": true  }}

It's supposed to work according to my colleague, but I still get

401 Unauthorized

As the result of my Postman request.

I have tried removing those Validate* tokenValidationParameters, to see if setting it less strict works but that's not the case.

My question

1. Am I missing something?
2. Is there a way to generate a token myself and see if I can get it to work with that?