I'm following the docs at https://docs.microsoft.com/en-us/sharepoint/dev/spfx/web-parts/guidance/connect-to-api-secured-with-... to have my spfx webpart call an azure ad secured web api using a hidden iframe.
It works great as long as the webpart only issues get requests. But azure blocks all post requests wit an error about cross site forgery or something like that.
I read a bunch of blogs about it and they say you can get around this by implementing the authentication code in your api code, rather than relying on azure to do the authentication.
Has anyone done this, or know of a good article on how to do it?