InvalidAuthenticationTokenAudience - Authentication for Logic Apps

After a couple of days of struggling, I will try to get some help here. I have several logic apps - some with HTTP triggers and some with SQL triggers (when an item is created, when an item is modified). They are running every X of hours, but the client requested to have the possibility to run the logic apps also manually through a button click in his custom web application.

To be able to run the logic apps (call the triggers), I am trying to get a Bearer token for authorization and run the logic app. I followed all these steps https://www.serverlessnotes.com/docs/securing-azure-logic-app-http-triggers-with-azure-ad#.
Shortly said, I created two app registrations (client and service) including role app and API permissions. Then I added into a LogicApp under Authorization the Issuer (https://login.windows.net/{tenantid}/oauth2/token/) and the Audience (the ClientId of the Service App registration) - that is Step 5 from the link.

But I see I am missing some understanding here. Because now when I test it (as described in the link), I have the following error.

First getting the token:

And then try to execute the LogicApp Trigger with that token:

The access token has been obtained for wrong audience or resource 'XXX'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'.

The link of the POST request is the trigger of the LogicApp like:
https://management.azure.com/subscriptions/{id}/resourceGroups/{ResourceGroup}/providers/Microsoft.Logic/workflows/{LogicAppName}/triggers/When_an_item_is_created/run?api-version=2016-06-01

I know that this link works because if I try to enter my personal data (email and password), it succeeds. But to avoid username and password data in the code, I wanted to solve this with this token. But I do not know where I need to fix it so the audience matches - in the logic app or in those app registrations? I would be very thankful for any help.

I tried to reproduce the same in my environment and got below results:

I registered Azure AD applications same as you and added API permissions as below:

Now I generated access token via Postman with below parameters:

GET https://login.microsoftonline.com/<tenantID>/oauth2/token
grant_type:client_credentials
client_id:<client appID>
client_secret: <secret>
resource: api://<service appID>

Response:

When I used the above token to execute LogicApp Trigger, I got same error as you like below:

POST https://management.azure.com/subscriptions/<subID>/resourceGroups/<ResourceGroup>/providers/Microsoft.Logic/workflows/<LogicAppName>/triggers/manual/run?api-version=2016-06-01

Response:

To resolve the error, you need to change your request URL by passing your Logic App URL without SAS key.

When I changed the request URL like that, LogicApp triggered sucessfully with below response:

POST <Logic Apps URL without SAS key>

Response:

If you want to trigger logic app with Management REST API, then you need to generate access token with different resource like this:

GET https://login.microsoftonline.com/<tenantID>/oauth2/token
grant_type:client_credentials
client_id:<client appID>
client_secret: <secret>
resource: https://management.azure.com

Response:

When I used the above token to trigger LogicApp with Management API call, I got response with Status: 202 Accepted like below:

POST https://management.azure.com/subscriptions/<subID>/resourceGroups/<ResourceGroup>/providers/Microsoft.Logic/workflows/<LogicAppName>/triggers/manual/run?api-version=2016-06-01

Response:

Make sure to assign proper role to the service principal based on your requirement, before generating access token.

In my case, I assigned Contributor role to service principal under LogicApp like this: