docs(design): devex proposal for mTLS PoP on Managed Identity and FIC

[gladjohn]

What

Adds a developer-experience design document for enabling mTLS Proof-of-Possession (mTLS PoP) on the two managed-identity credential sources that currently don't support it:

• AcquireTokenOptions.ManagedIdentity (pure Managed Identity)
• SignedAssertionFromManagedIdentity (Federated Identity Credential signed by a Managed Identity)

The doc lives at docs/design/msi_fic_mtls_pop_devex.md, alongside the existing managed_identity_capabilities_devex.md.

Why

Microsoft.Identity.Web already supports mTLS PoP for confidential client apps that authenticate with a certificate (see token-binding.md). The opt-in is one line of configuration:

"ProtocolScheme": "MTLS_POP"

The same opt-in does not work today for the two managed-identity credential sources:

Credential source	Bearer	mTLS PoP today
Certificate	✅	✅
SignedAssertionFromManagedIdentity (FIC)	✅	❌ doesn't exist
AcquireTokenOptions.ManagedIdentity (MSI)	✅	❌ doesn't exist

This is the gap the proposal closes.

What's in scope

• Configuration parity — the same "ProtocolScheme": "MTLS_POP" knob enables mTLS PoP for all three credential sources.
• No new public API — opt-in stays declarative; app developers learn nothing new.
• Two new dev-app samples — daemon-app-msi-mtls and daemon-app-fic-mtls, modeled on the existing daemon-app-msi.
• Two doc updates — token-binding.md (add MI + FIC subsections) and certificateless.md (add a short cross-ref).

What's out of scope

• Code changes — this PR is docs-only. Implementation lands in a follow-up PR.
• New mTLS PoP knobs beyond what's already in token-binding.md.

Prerequisites for the implementation PR

• Microsoft.Identity.Web takes a dependency on Microsoft.Identity.Client.KeyAttestation (GA in the next MSAL release).
• The downstream resource must accept mTLS PoP tokens.
• The application's tenant and client must be on the ESTS allow-list for mTLS-bound token issuance.