At this point I'm also updating this thread in case someone else ever asks the same question :)
This piece of documentation suggests that certificate based claims can only be unicode strings
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/f062ba4d-21f4-4c71-86b2-cf77db663755
But it is irrelevant where the claims come from because, following that trail of breadcrumbs leads to this:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/252d7e10-eaf8-44e9-8b8d-205b384f5782
No matter where the claims come from, the spec says clearly that the only datatypes that are supported are:
- Int64Values
- Uint64Values
- StringValues
- BooleanValues
So I think I have enough evidence that the win32 API for getting claims information from the user token via GetTokenInformation doesn't match the Directory Services specification.
I'm still interested to hear from others if they have reason to believe otherwise.
My guess is that the GetTokenInformation information is simply based on possible attribute value types, and Directory Services simply uses only a subset of those for processing claims.