The key belongs to Microsoft. Microsoft is the one signing the auth tokens, not the end users.

I'm saying that Microsoft should have a separate private key to sign government auth tokens with.

IIUC in general they do. One of the steps of this failure is that a key that had no business signing off on accessing government data was granted that scope by MS's cloud software because they changed the scope-checking API in such a way that their own developers didn't catch the change ("Developers in the mail system incorrectly assumed libraries performed complete validation and did not add the required issuer/scope validation").

So instead of failing safe, lack of new code to address additional scope features "failed open" and granted access to keys that didn't actually have the right scope.