<PackageReference Include="Microsoft.Identity.Client" Version="4.84.2-preview4-GetManagedIdentityCapabilitiesAsync" />

Microsoft.Identity.Client.AppConfig.MtlsBindingStrength

public enum MtlsBindingStrength
Describes the strength with which a token can be bound to a cryptographic key on the current host. Higher values indicate stronger binding. The value reflects what the host is capable of producing, not what a particular request used.
Bearer = 0

No key binding is available; only bearer tokens can be issued. This is the floor of the range (for example, on .NET Framework 4.6.2, which does not support PoP).

The token can be bound to a key isolated by Virtualization-based Security (VBS), such as KeyGuard on a Trusted Launch (TVM) or Confidential (CVM) virtual machine. This is the only tier that implies hardware-backed attestation.

The token can be bound to a software-backed key (for example, a persisted CNG key on Windows, or a software RSA key elsewhere). The key is not hardware-isolated.