Your scenario requires daemon services to securely communicate with a web API. For this, the services need to be given an identity that the web API understands. Further, the services need to be given a credential using which they can get a token that proves their identity to the web API. Azure AD is a good choice - it allows you to secure your own Web APIs and supports service principal identities. You're looking at the right documentation, the updates sample application that uses cert auth with AD Auth Library (what you refer to as Authentication Context I guess) is here: https://github.com/AzureADSamples/Daemon-CertificateCredential-DotNet. Azure AD supports two kinds of credentials for daemon services: certs and symmetric key client secret (valid for 1 or 2 years). In either case you can't escape having to provision the credential on every instance of the daemon service, and write automation to update this credential when the secret needs to be rolled. I believe this is your best bet.
Hope that helps.