The cmdlets to get token and patch call are correct. I tested you script in my test tenant with a single user account (by removing foreach loop) and confirmed that it is clearing the value of extensionAttribute for that user.
The only problem I can think of is, missing required permissions to perform that patch call. Since you are using client_credentials flow, the patch operation is being performed under application context. If the application don't have required permissions to perform the patch operation, the call would fail.
The minimum permission required for this purpose is user.readwrite.all. You can assign this permissions by following below steps:
- Navigate to Azure AD > App Registration
- Select the Application whose client id you are using in the script.
- Go to API Permissions blade.
- Click on Add a permission.
- Click on Microsoft Graph and add User.ReadWrite.All under Application permissions and NOT under Delegated permissions.
- Click on Grant admin consent for Azure Active Directory button.
- Make sure you see the green check under status column.
Refer to below screenshot, where I have highlighted these steps:
Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.