Path-based App Service + EasyAuth behind Application Gateway - HTTP 500 error on /.auth/login/aadcallback

I'm currently struggling to setup multiple app services with EasyAuth behind an application gateway using path-based routes. The configuration look like this:

• Root application -> https://my-custom-internal-domain/
• App1 -> https://my-custom-internal-domain/app1

These app services use EasyAuth authentication with different Entra ID applications. As I'm using internal private domains, there is no custom domains configured on them. For each app the authSettingsV2 looks like this:

 {
    "httpSettings": {
        "forwardProxy": {
          "convention": "Custom",
          "customHostHeaderName": "X-Original-Host"
        }
    },
    "identityProviders": {
      "azureActiveDirectory": {
         "registration": {
            "clientId": "f4a511...",
            "clientSecretSettingName": "MICROSOFT_PROVIDER_AUTHENTICATION_SECRET",
            "openIdIssuer": "https://sts.windows.net/d7.../v2.0"
         },
        "enabled": true,
        "login": {
            "loginParameters": [
                "redirect_uri=https://my-custom-internal-domain/<app>/.auth/login/aad/callback"
            ]
         }
      }
    },
    "login": {
        "allowedExternalRedirectUrls": [
            "https://my-custom-internal-domain/<app>/.auth/login/aad/callback"
        ]
    }
}

When hitting the root application /my-custom-internal-domain/, everything works fine. Users are able to authenticate and redirect URI is set correctly (I don't have any rewrite rules on the gateway, just forward proxy settings configured on app services). However, when hitting /my-custom-internal-domain/app1 application, the login process is initiated but its fails on the /my-custom-internal-domain/app1/.auth/login/aad/callback page with an HTTP 500 error.

Inspecting EasyAuth errors from the app service, I can see Failed to read the 'AppServiceAuthSession' cookie for site 'my-custom-internal-domain': The signature of the encrypted data is invalid. which I suppose is the root error. My guess is the cookie path is not set properly for this specific app path and auth fails but I don't know how to check/fix this.

How can I configure authentication with EasyAuth for apps accessed from a specific path (not the root one)? Is it even possible? I tried pretty much everything but with no luck.

I would expect the EasyAuth process to take care of the application base path but it seems that is not that easy.

Thanks!

Finally found a way to do this using the apiPrefix property on the app service: https://techcommunity.microsoft.com/blog/azurenetworkingblog/understanding-azure-app-service-authentication-challenges-with-path-based-routin/4372730