Authenticating via Sites.Selected and m365 cli

Question

Background

• We are using Azure DevOps Pipelines to deploy a SPFx package to a SharePoint online site collection app catalog
• Deployments are being done in a PowerShell task using the M365 CLI
• Authentication is done by an AD app registration and a certificate with Sites.Selected access
• Sites.Selected has been granted with FullControl on the target site
• We are using m365 spo app instance list to determine if the app has already been added to the site, so we know if we need to install or upgrade the package

Problem

• The m365 spo app instance list command returns an empty array even if there are multiple SPFx packages added to the site

Investigation So Far

• The m365 spo app instance list command calls https://tenant.sharepoint.com/sites/site/_api/web/AppTiles?$filter=AppType%20eq%203
• Browing to the url in an authenticated session with a user which has owner access brings back the data as expected
• Using Postman with the url and the bearer token taken from the pipeline step confirms an empty array is being returned
• Removing the filter in Postman returns other data correctly (all the lists and libraries on the site) but not the SPFx apps added to the site
• It appears authenticating via a certificate and Sites.Selected FullControl does not have access to see the installed SPFx apps

Anyone come across this issue before?