The documentation for the Websockets Policy states the following:

The Websocket policy enables WebSocket protocol connections to upstream APIs. If you plan to enable the WebSocket protocol, consider the following:

• The WebSocket protocol does not support JSON Web Tokens.
• The WebSocket protocol does not allow additional headers.
• The WebSocket protocol is not part of the HTTP/2 standard.

What this ultimately means is that OIDC is not supported, and you must use query params as the credential location. This should be called out explicitly.

Perhaps it should be changed to something like the following:

The Websocket policy enables WebSocket protocol connections to upstream APIs. If you plan to enable the WebSocket protocol, consider the following:

• The WebSocket protocol does not allow additional headers.
  • Therefore the WebSocket Policy requires that the service be configured with Query Parameters for credential location.
  • Therefore the WebSocket policy does not support OIDC authentication method.
• The WebSocket protocol is not part of the HTTP/2 standard.