Cosmos DB RBAC via Visual Studio

Question

I am working through the steps to mitigate the policy "Azure Cosmos DB accounts should use Azure Active Directory as the only authentication method" and while my changes to support this are in fact working as expected against a deployed version of our Function App, I continue to have problems when attempting to run locally through Visual Studio.

Things known/confirmed

1. Deployed version using the ManagedIdentity (function app) & associated RBAC changes for the CosmosDB data plane are working
2. VisualStudio execution leveraging DefaultAzureCredential() does in fact select a Type=VisualStudioCredential as expected.
3. The correct account is selected in the 'Azure Service Authentication' visual studio options
4. My user account is in a group that was assigned both roles "Cosmos DB Built-in Data Reader" and "Cosmos DB Built-in Data Contributor" [Same assignment granted to the ManagedIdentity principal id] - attempts to insert fail
5. I directly assigned my user account id the roles "Cosmos DB Built-in Data Reader" and "Cosmos DB Built-in Data Contributor" [Same assignment granted to the ManagedIdentity principal id] - attempts to insert fail
6. It has been well over 24 hours since any permission changes, group membership have been applied
7. I DO NOT see any option in the 'Azure Service Authentication' vs options dialog to "reauthenticate"
8. I've manually deleted my %localappdata%/.IdentityService folder after closing VS and wired up the account a second time - attempts to insert fail

While getting this to run in a deployed environment is a positive outcome, being unable to run locally (and therefor DEBUG) makes me very reluctant to push the rest of my teams to adopt this "best practice" until this can be addressed..it will slow down development efforts.