The error you get is because the request has an Origin header suggesting a Public client while AAD expects something else. This is because you are using the Client Credentials Flow which is meant for serve side confidential client applications on a Single Page Application which is a public client.
You should not be using client credentials flow on SPA because there is no way to secure the client secret. In your case you should be using authorization code flow which is meant for SPAs. If you have to use Client Credential flow, you should move the communication with Graph to serve side.