Basic authentication policy is simply a policy that can base64 encode or decode a string into its constituent variables. It actually doesn't verify anything like client_id or secret or anything like that.

If you want to verify the client_id, you need to use the VerifyApiKey policy, a sample of that would look like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyAPIKey async="false" continueOnError="false" enabled="true" name="VerifyAPIKey">
    <DisplayName>VerifyAPIKey</DisplayName>
    <Properties/>
    <APIKey ref="client_id"/>
</VerifyAPIKey>

If your use-case is something like this:

"The client would pass the client_id and secret as a Base64 encoded Basic Auth header, and you would like to perform a VerifyAPIKey operation on that after extracting the key from the basic auth header."

In the above case, you would have a BasicAuthentication policy with the encode operation like below:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<BasicAuthentication async="false" continueOnError="false" enabled="false" name="BasicAuthentication">
    <DisplayName>BasicAuthentication</DisplayName>
    <Operation>Decode</Operation>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <User ref="client_id"/>
    <Password ref="client_secret"/>
    <Source>request.header.Authorization</Source>
</BasicAuthentication>

Once this policy executes, you would have the client_id in the "client_id" variable and secret in the "client_secret" variable. After that you can invoke the VerifyAPIKey policy as show above, which refers to the client_id variable. I hope this helps.

If this answers your query please accept my answer so that the others can benefit from it.