The pod needs the label azure.workload.identity/use: "true" to work correctly. This blocked me for a while testing this out.