Microsoft.Identity.Client.AppConfig.MtlsBindingStrength
Describes the strength with which a token can be bound to a cryptographic key on the
current host. Higher values indicate stronger binding. The value reflects what the host
is capable of producing, not what a particular request used.
KeyGuard = 3
The token can be bound to a key isolated by Virtualization-based Security (VBS), such
as KeyGuard on a Trusted Launch (TVM) or Confidential (CVM) virtual machine. This is
the only tier that implies hardware-backed attestation.
None = 0
No key binding is available, so the host cannot perform mTLS Proof-of-Possession. This
is the floor of the range (for example, on .NET Framework 4.6.2, which does not support
PoP).
Software = 1
The token can be bound to a software-backed key (for example, a persisted CNG key on
Windows, or a software RSA key elsewhere). The key is not hardware-isolated.