Token acquisition requires the secret of the client used to login to B2C, rather than the secret of the calling application

[KCAndersen]

I'm not sure if this is an issue or just my misunderstanding of how the world works, but I'm hoping for at least some advice that this is okay.

We've created a basic login flow. This login flow uses an app registration we'll call "frontEndApplication".

The flow redirects to my application and has the code in the url. My application then uses MSAL to create a confidential client, using the clientid of an app registration we'll call "backEndApplication". I would have expected that I would also provided a secret associated with backEndApplication, but when I do that I receive:

AADB2C90081: The specified client_secret does not match the expected value for this client. Please correct the client_secret and try again.

However, when I use a secret associated with frontEndApplication, the endpoint (below) returns a token as I'd expect.
https://{domain}.b2clogin.com/tfp/{tenant}/{flowName}/oauth2/v2.0/token

Note that other calls do not work, such as MSAL's AcquireTokenForClient method, because the client:secret do not match. This is what I would expect.

Is this expected behavior? It seems very strange to me that, in order to convert a code to a token, I would have to pass a secret owned by the client used in the application flow.

As a side, for fun I simply supplied Guid.NewGuid() to the confidential client, and it works too. So it seems that the clientid being provided is being thrown away and presumably replaced by the clientid of the client used to authenticate the user?