Hello @Bert Sachs (DB) , Azure AD access token are validated by Azure SQL Server, otherwise any could be accepted. Additional authorization rules are applied based on Azure SQL roles and permissions. Using managed identities is already a security best practice.
Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.