Unable to find keychain in entitlements.plist using MSAL and Xamarin (even though it is there!)

Question

Set up:

1. Windows 10 (current build/patches)
2. VS 2019 (Version 16.11.5)
3. Xamarin.Forms 5.0.0.2196
4. iPhone (14.0.1) connected locally through USB
5. Azure AD B2C service
6. MSAL (Microsoft.Identity.Client) 4.37.0

Steps to reproduce:

1. Build and run -
   https://github.com/Azure-Samples/active-directory-b2c-xamarin-native.git
2. The app deploys and runs on the locally connected iPhone.
3. The create account flow runs correctly, however the attempt to create a token fails (see below for error msg)
   Fails at:

             AuthenticationResult authResult = await _pca.AcquireTokenInteractive(B2CConstants.Scopes)  
            .WithPrompt(Prompt.NoPrompt)  
            .WithAuthority(B2CConstants.AuthorityPasswordReset)  
            .ExecuteAsync();  
   

Error reported:
MSAL v 4.37.0 Microsoft.Identity.Client.MsalClientException "The application does not have keychain access groups enabled in the Entitlements.plist. As a result, there was a failure to save to the iOS keychain. The keychain access group '89R4957RMR.uk.sophisticated.bikes' is not enabled in the Entitlements.plist. Also, use the WithIosKeychainSecurityGroup api to set the keychain access group. See https://aka.ms/msal-net-enable-keychain-groups for more details on enabling keychain access groups and entitlements."

Further steps:

1. I have replaced the default AD B2C directory with my own.
2. This is correctly set up and the flows all work correctly for a Web App.
3. I can see the authentication succeeding and a token being granted for the correct App in the AD B2C logs/audit.
4. The app is being correctly instantiated:
   var builder = PublicClientApplicationBuilder.Create(B2CConstants.ClientID)
   .WithB2CAuthority(B2CConstants.AuthoritySignInSignUp)
   .WithIosKeychainSecurityGroup(B2CConstants.IOSKeyChainGroup)
   .WithRedirectUri($"msal{B2CConstants.ClientID}://auth");
5. The entitlements.plist keychain is correctly set:
   <key>keychain-access-groups</key>
   <array>
   <string>$(AppIdentifierPrefix)uk.[domain].[app]</string>
   </array>
6. The entitlements.plist is correctly set in the project (for iPhone) and the team is correct
   <CodesignEntitlements>Entitlements.plist</CodesignEntitlements>
7. The URL type is correctly set in info.plist (but the code never gets this far):
   <array>
   <dict>
   <key>CFBundleURLName</key>
   <string>uk.[domain].[app]</string>
   <key>CFBundleURLSchemes</key>
   <array>
   <string>msal[guid for app]</string>
   </array>
   <key>CFBundleTypeRole</key>
   <string>None</string>
   </dict>
   </array>
8. Tried updating libraries... no help.
9. I am pulling what is left of my hair out. The only thought is that something is not working for the scenario of an ios device connected locally. (This scenario has been a problem in other ways and does not seem to get reliably tested, e.g. Xamarin apps fail to deploy on iOS 15 for a local device!) I am waiting for a mac to arrive to test whether deployment to a simulator works... but this is breaking further development.
10. I cannot even see a way of disabling keychain - this seems to be a requirement of MSAL (the error persists even if I remove the WithIosKeychainSecurityGroup property but reverts to the default key chain group).

Am I missing something or is this a bug?