We are looking to make a web portal for our users to potentially merge accounts and we would like them to be able to authenticate via Xbox Live.
At the moment, we have the majority of the system setup but when trying to authenticate with an xsts token from the login flow it keeps returning InvalidXboxLiveToken.
The only difference to the way we are doing it on the actual xbox consoles is that we are getting the token through the xsts authorization endpoint. Is this method supported outside of GetTokenAndSignatureAsync and if so would the RelyingParty still be "https://playfabapi.com/" ? We have also tried "http://playfab.xboxlive.com/" to no avail.
We have tested various other xbox live calls and our xsts tokens are accepted there, so we are at a bit of a dead end as to why they might not be accepted.