I am not quite clear on the verbal description you provided, but.... I can offer some comments, and maybe it will help.

It seems that you have an existing setup in which a client app gets a token from AzureAD, and then presents it to the API (microservice). the Microservice verifies and validates the JWT and if valid, honors the inbound request.  And now you want to do something similar for the client application.  Yes, you can do that.  The flow would look something like this. 

The steps shown as A,B,C,D must happen before steps 1,2,3,4,5. 

If Azure AD issues a JWT to the external client application, the external client can present it as a bearer token to an Apigee API.  You can then use the VerifyJWT policy within the Apigee proxy to verify and validate the AAD-issued JWT.  As part of that, Apigee will connect with AzureAD to retrieve the public keys necessary to validate the inbound JWT.  (This is just standard JWT verification via JWKS).  At this point Apigee has verified that the external client is bonafide, and is trusted by AzureAD. 

some things to note: 

• You need to make sure the token coming out of AzureAD is not intended for use by the Microsoft Graph API itself.  The scope claim should be something other than https://graph.microsoft.com/.default. For more on this see this github issue.
• You still have the issue of trust between Apigee and the thing labeled as "client application" in your diagram.  Most customers use a combination of TLS certificates and IP range allowlists to establish that trust.

If I am misunderstanding your question, I apologize.