it does not seem partially secure to use client secret with a web assembly. I'd probably supply a webapi to do the work.
You are correct, the HttpClient defined for blazor WASM is a subset of the actually HttpClient, as it uses js interop to create a tcp connection (WASM runs in a sandbox with no network, dom or file support). You could use the javascript graph api sdk and call with js interop, or using HttpClient call the Graph REST api directly rather than the sdk. It better documented anyway.
https://learn.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0
to get token with the REST api see:
https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http