Programmatically authenticating SharePoint on-premises with OIDC protocol

I am trying to authenticate users from an external Idp to SharePoint Subscription Edition using OIDC protocol. 

I have set up the SharePoint farm as per the article:

https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/set-up-oidc-auth-in-sharepoint-server-with-msaad

I have obtained the token from the Idp in exchange of the code. The token has multiple parts: access_token, token_type, expires_in and id_token (which is a signed jwt that contains basic attributes about the user and it is signed using the RS256 algorithm).

After obtaining the token, how do I authenticate to SharePoint?

I tried sending a request to a protected resource with Authentication header. Do I use access_token or the id_token in the bearer token? I have tried both and gets 401 Unauthorized.

Any idea how to authenticate?