There are two cases for token redemption (using authorization_code mode): from Web Application and from Single-Page Application (PKCE).
When using a SPA, Azure Identiy requires that the token redemption comes from a browser (not a web server). The request for the code exchange must contain the 'Origin' header. If not, you get the error: "Tokens issued for the 'Single-Page Application' client-type may only be redeemed via cross-origin requests"
I have a small NodeJS app that I use to test all oAuth authorization modes, and I got the error reported in this thread because I use the same redeem function for WebApp and SPA.
I removed the 'Origin' header, and the error is gone.
If you have a Web Application, be sure that there is no 'Origin" header sent to the server when exchanging a code for a token.
Not sure if it's a bug or feature tho!