For each client service an application is created, which generates a clientid and secret.
The client service generates a token using the clientid and secret.
The client service calls our service API using the token.
This seems straightforward, however I note that in the .NET SDK there is a CreateCredentialsAsync API. Is this related to the M2M authentication flow, or is it is irrelevant? When would this API be used?
Yes, you have understood the client credentials flow correctly!
As for the CreateCredentialsAsync method you shared, it is used to create a new client credential, which is separate from the client credentials grant flow.
So, if I understand correctly, that API is relevant to Private Key/Certificate credentials and allows a new credential to be created for an application. It is not relevant in the case where a client secret is used.
Does the new credential replace any existing credential, or is it an additional credential?