Azure OAuth2: can't validate access token

I am trying to validate the access token provided by Azure OAuth2. I am using nimbus to validate the token, however I keep getting the "invalid signature" error.

I read on some pages that if the access token contains a nonce, then I won't be able to validate it since it's meant to be used internally by Microsoft only. I followed the instructions on this page (https://authguidance.com/azure-ad-troubleshooting/) to get the acecss token without a nonce, but it doesn't work.

I can see that the ID token doesn't contain a nonce, but the access token does.

Does anyone know how I can get an access token (withouth a nonce) that I can validate using nimbus?

Note that, if you validate access token generated with Microsoft Graph APIs as scope, you will get "Invalid Signature" error as it has nonce claim

I tried to reproduce the same in my environment and got below results:

I registered one Azure AD application and added Microsoft Graph API permissions as below:

Now I generated access token and id token using authorization code flow via Postman with below parameters:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:authorization_code
scope: https://graph.microsoft.com/User.Read openid
code:code
redirect_uri: https://jwt.ms
client_secret: <secret>

Response:

When I decoded the above access token in jwt.io website, I too got Invalid Signature error as it has nonce claim like below:

To get access token without nonce claim, change scope value to custom API instead of Microsoft APIs.

I added Application ID URI and new scope named Custom.Read by selecting Expose an API in my application like this:

You can find above scope in My APIs of your application with same name like this:

Now, add that scope in API permissions of your application like this:

Make sure to grant admin consent to the added permission like below:

To get code, I ran below authorization request in browser like this:

https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/authorize
?client_id= <appID>
&response_type=code
&redirect_uri= https://jwt.ms
&response_mode=query
&scope=api://<appID>/.default
&state=12345

Response:

Now, I generated access token by changing scope to custom API using authorization code flow via Postman like below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:authorization_code
scope: api://<appID>/Custom.Read openid
code:code
redirect_uri: https://jwt.ms
client_secret: <secret>

Response:

When I decoded the above access token in jwt.io website, it does not have nonce claim and signature verified successfully like below: