Authentication past the API Gateway

I’m curious what others are doing for authentication past the Gateway level. Currently we’re looking at something along these lines:

SPA–>User Access Token with Gateway Audience–>Gateway–>M2M Token With API Audience–>API

I’m curious if anyone has found a better authentication method for the Gateway to API level. It would be nice to send a token on behalf of the User rather than for the Gateway. In fact it seems Microsoft offers this solution if I’m understanding their documentation correctly: Microsoft identity platform and OAuth2.0 On-Behalf-Of flow - Microsoft identity platform | Microsoft Learn

I can’t find that flow or anything similar in Auth0. The best we can do is authenticate the user at the Gateway level then send their token downstream along side the M2M token which is used to authenticate with the API the information they need is ultimately stored. From there we may be able to Frankenstein something in order to get Microsoft’s Authorization middleware to work properly, but it would be much cleaner if this could all be done on User Token which is valid and has the audience of the API rather than the Gateway.