In Azure, the recommended place to store application secrets is Azure Key Vault. ASP.NET Core makes it easy for an application to read secrets from Key Vault, but the application needs to be given valid credentials to do so.
Key Vault allows us to separate the roles of key managers, key consumers, and developers. The separation is important in the production data environment.
ASP.NET Core supports Azure Key Vault as a configuration source. But I would not want to put a client id and secret in the configuration somewhere. It would kind of defeat the purpose of using Key Vault. So why don't we use Azure AD Managed Service Identity to get tokens for Key Vault, and get the configuration that way?