have an AKS cluster configured with enableAzureRBAC=true

I am trying to install the ingress-nginx Helm chart through Flux

It throws the error

reconciliation failed: failed to get last release revision: query: failed to query with labels: secrets is forbidden: User "system:serviceaccount:default:flux-applier" cannot list resource "secrets" in API group "" in the namespace "default": Azure does not have opinion for this user.

I can see that flux sets up a clusterrolebinding to make the flux-applier a cluster admin, which I have verified is in place

Name:         flux-applier-binding
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name          Namespace

  ----            ----          ---------
  ServiceAccount  flux-applier  flux-system

So I assume my issue is that Azure doesn't recognize this ServiceAccount and it isn't falling back to built in roles?

https://github.com/kubeguard/guard/blob/master/authz/providers/azure/rbac/checkaccessreqhelper.go

The Azure docs on Azure RBAC for AKS clearly state:

If the identity making the request exists in Azure AD, Azure will team with Kubernetes RBAC to authorize the request. If the identity exists outside of Azure AD (i.e., a Kubernetes service account), authorization will defer to the normal Kubernetes RBAC.

https://learn.microsoft.com/en-us/azure/aks/concepts-identity

But this doesn't seem to be true?