Here is a great reason to host your cloud services in Azure: Managed Service Identities
Instead of calling the AAD token endpoint, you can call this special service that is part of the Azure infrastructure. The Managed Service Identity service (exposed via localhost) handles the token acquisition for an identity registered for the VM / AppService / Function.
I'll be trying this out soon. Certainly makes applications more secure.