Hi
Its not clear to me from the question if you've configured and are using easy auth explicitly
Doing so would apply to the web app itself REF https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization
If you have more than one web app per hosting plan (to manage costs) then you can configure easyauth and a corresponding app registration for each
Equally, you can use microsoft.identity if you want more control - or to test auth outside of the app service hosting (personally speaking this is my prefer method)
What I would really try and avoid, unless you have a very good reason for doing so, is use virtual directories. Yes, it is technically possible to do so with App service , but in my experience working with customers it can also add unwanted complexity. It isn't exactly an anti-pattern (in my opinion) but at least in the customer facing team I work for, we don't recommend it either.
Remember that each web app you create on a hosting plan has its own configuration (including easy auth if you choose to use it) can leverage it's own slots and settings and has process isolation.
Each web app on a plan share compute resources and scale out together
From the detail you've provided I think it would make more sense to have API and UI each on their own web app. These apps could be under the same plan, OR a different plan depending on whether you want it to scale the same or differently to the main MVC app and depending on cost - an extra hosting plan would incur extra costs.
Hope that helps