Client Environment -

Client have 2 different Azure tenant , One is commercial Azure(cloud) and another is Gov Azure(cloud). There is a tunnel between 2 clouds. Also they are using OAuth for authentication from Azure AD ( Azure AD in Gov Cloud).

Commercial cloud have 2 VM, One is for SharePoint 2016 VM ( On–Prime) and another is used for application(Asp.net Core 2.0 WEB API and Angular web application).

Commercial and Gov Azure is just a simple 2 different tenant.

Problem -

We want to access SharePoint 2016 resources (REST API) using OAuth in an Web API and we configure Azure AD to authenticate SharePoint 2016 (https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial).
In our Custom API we are acquiring token by setting up following parameters { "client_id","client_secret","grant_type", "resource"}.
Received token we use for SharePoint REST APIs which is not working.

Findings – When I go through the many documents and Microsoft articles then come to know that Azure AD provides only SAML 2.0 but SharePoint can only understand SAML 1.1 format. Now we are stuck that how we can solve this problem. Also I have notice that when we access SharePoint 2016 site on browser then it used WS_Fed authentication for SharePoint and we are still not able to get any useful api which can give us SAML1.1 token from Azure AD to SharePoint 2016 On-prime.

if there is any PnP function/command which can stablished the trust between Azure and SharePoint 2016 on prime vm by code. Please let me know.

Thanks