I have an Azure app service X(which has an ASP.NET web api project published to it) that I have configured with Y AAD app thru Advanced Authentication(using Y's client id in it). Now I also have another Z AAD app, which I want to use in OAuth 2.0 flow of POSTMAN.
The problem is when I'm providing Y's client id and resource id as Y's application id URI, I'm getting "Client is requesting token for itself." To avoid this I am replacing resource id with Application(client) id(the GUID) and it works find. Why?
Also, if I use Z's client id and Y's resource id URI, it doesnt work but it works when I use the GUI. So why is the application id URI required, what is the point of it if I can't use it?
I think you may be misunderstanding something. lets be a little more concrete. lets simplify a bit, you have WebAPI A with App Registration A. and you have a Client App Registration B.
First you set up WebAPI A to do whatever it needs, if it needs access to graph for example, then in API Permissions, you give it that access. then you either set up WebAPI A with an app secret or user flow Finally you go to expose an API which is where the Application ID URI comes in, this is ONLY to allow Client B to access webAPI A. You only set this in App Reg A, you do not enter anything regarding this into WebAPI App Service. You do not need resource IDs in your web api, unless you are trying to access other apis, like graph for example.
then say you are trying to get Client B to use the webAPI, so in your App Registration B, you add an API Permission -> My APIs -> Select the scope you created just before. then in Client B, that is where you set resource IDs, because you need to get a token that has access to web API.
I hope that clarifies a bit for you. also here's a sample of a simple client to webapi flow, it's not 100% identical to yours since you're on an app service, but its essentially the same. https://github.com/Azure-Samples/ms-identity-javascript-angular-spa-aspnetcore-webapi