[V3] How to have different token type requirements per route?

[richk-h2ecommerce]

Using the following Nugets:
Duende.BFF.Yarp 3.0
Duende.BFF 3.0
Duende.AccessTokenManagement 3.2.0
Duende.AccessTokenManagement.OpenIdConnect 3.2.0

I have a simple app with just program.cs and a yarp.json config file.

I have 3 routes setup via yarp.json. 2 have AuthorizationPolicy; 1 requiring an authed user and one requiring the user has a specific role. These both work fine. These 2 routes are using the MetaData "Duende.Bff.Yarp.TokenType": "User".

Json config example for one below:

      "product-carousel": {
        "ClusterId": "phoenix-frontend-api",
        "AuthorizationPolicy": "phoenix-frontend-api-user-policy",
        "Match": { "Path": "/bff/GetProductListWithAuth" },
        "Transforms": [
          { "PathSet": "/Products/GetFakeAlternateProducts" }
        ],
        "Metadata": { "Duende.Bff.Yarp.TokenType": "User" }
      },

I need a 3rd route which allows non-authenticated users to talk to the back-end also, but naturally I still want the BFF to auth with the backend API. I have tried to facilitate this by using the TokenType "client" and specifying the ClientName to the name of a client specifically created for this purpose (different to the main clientName specified in the .AddOpenIdConnect() method.

Below is the part of the json file with the anonymous route:

  "product-carousel-anon": {
    "ClusterId": "phoenix-frontend-api-anon",
    "Match": { "Path": "/bff/GetProductListNoAuth" },
    "Transforms": [
      { "PathSet": "/Products/GetFakeAlternateProducts" }
    ],
    "Metadata": {
      "Duende.Bff.Yarp.TokenType": "Client",
      "Duende.Bff.Yarp.ClientName": "cp-bff-service"
    }
  },

And here is the setup for the ClientCredentialsClient:

builder.Services.AddClientCredentialsTokenManagement()
    .AddClient("cp-bff-service", client =>
    {
        client.TokenEndpoint = "https://localhost:44386/connect/token";
        client.ClientId = "cp-bff-service";
        client.ClientSecret = "super secret client secret";
        client.Scope = "phoenix-frontend-api";
    });

I have verified via a debug endpoint and Postman that this cp-bff-service client
a) exists
b) gets a valid token from the IDP

However, when I call the endpoint bff/GetProductListNoAuth, I can see in the IdP (separate app) logs that the request is made as the cp-bff client and not the cp-bff-service client and is therefore rejected as the cp-bff client is configured for authorization_code grantType and uses PKCE. The cp-bff client is configured for client_credentials grantType and not PKCE.

I have also tried using the UserOrClient TokenType for the anon route and get the same result.

Why is this? Is it possible to configure things like I am trying to or is this not intended functionality?