AD characters represent more than just the current user. They also include statements about who issued the token and an “audience” (who is allowed to use the token). Tokens are usually JWTs and can be decoded using a tool such as http://jwt.calebb.net/ . The token for your web application most likely has a different “audience” than the token for sharepoint online. You need to do a “token exchange” to get a token with the right audience . ADAL can do the exchange for you (see AcquireTokenAsync). There, the Azure function binding begins, which performs the token exchange for AD (the following part is important for you: see https://github.com/Azure/azure-functions-microsoftgraph-extension/blob/master/src/TokenBinding/AadClient.cs # L49 ), but this is in the preview.
Please note that there are no Azure / WebAPI functions here - this is purely AD, and you can check this (token exchange code) in the console application.