Workload Identity to support app registration federation as well

[sibj0801]

Describe the bug
I am not sure if this scenario is supported or not, so I will try to ask my question here.

Scenario
I am using workload identities, so a managed identity + fedeation to a kubernetes service account (AKS).
In my organization, we use app registrations to expose App Roles and consume, usually we have
app-registration-api: exposes roles
app-registration-consumer: consumes roles

usually we have client ID + secrets in a key vault, that the identity then collects in order to create a valid token with the correct scopes and API permissions with granted permisisons.

But I saw: https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center%2Cdotnet

And it seems that I should be able to:

from my app registration "app-registration-consumer" make a federation to my "workload-identity", and then following the guide, be able to generate a token for the app-registration-consumer token, without the need for a client secret.

Now, I am having issues to get this to work, but I would appreciate some confirmation that this scenario is supported, can confirm that it is?

In short:
Does managed identity + app registration with a workload federated managed identity support generating tokens for custom developed API's exposed as App Roles in your entra ID?