I register a App in Azure AD Portal:

Get Access Token:
var clientId = "<<AAD_APP_CLIENT_ID>>";
var tenantId = "<<AAD_TENANT_ID>>";
using var certificate = GetCertificate(
Path.Combine(Environment.CurrentDirectory, "MyAppCertificate.pfx"),
"<<CERTIFICATE_PASSWORD>>");
var confidentialClient = ConfidentialClientApplicationBuilder
.Create(clientId)
.WithTenantId(tenantId)
.WithCertificate(certificate)
.Build();
var token = await confidentialClient
.AcquireTokenForClient(new[] { $"{endpoint.TrimEnd('/')}/.default" })
.ExecuteAsync();
Can we make the App Permission focus on detailed site collection ?