Not written anything for AAD, but from the documentation, it says that when you specify "/common" endpoint instead of tenant, the issuer in returned token will contain the templated URL instead of GUID value of issuer, so you cannot just use the "issuer in metadata" (as in: https://login.microsoftonline.com/contoso.onmicrosoft.com/.well-known/openid-configuration ) to match "issuer value in token" for validation.
Therefore you should disable issuer validation for it to work.
Instead they should use "issuer value" or the "tid claim value" in the token to match against list of valid subscribers (maybe here's the point of confusion? I would have used a test account from each of the tenant in interest to login and capture the returned token, and in turn use the tokens captured to build the list of expected values for each tenants.
Maybe you should check the example on /common endpoint and see if it can clear things up a bit. This section on OnTokenValidated event handling shows how to do validation with .tid field mentioned before. These example does not use HttpClient and use OpenID Connect ASP.NET Core middleware library instead.