Managed identity is the correct choice for this scenario.

Managed identities allow an Azure hosted API to obtain Azure AD access tokens to call other Azure services without storing or exposing credentials. Azure manages the lifecycle of the identity and the API can request tokens from a local endpoint so there are no secrets that developers or external clients need to handle.

Because the identity belongs to the API itself and is provisioned by Azure, external clients do not need to supply credentials to the API in order for it to authenticate to downstream services. This meets the requirement that clients must not provide credentials while still ensuring the API can authenticate when calling other Azure services.

Service principal is an Azure AD application identity but it normally requires managing credentials such as client secrets or certificates. That would force the team to distribute or rotate secrets which the scenario prohibits.

Anonymous would allow unauthenticated access so it fails the requirement that every incoming request must be authenticated.

Client certificate would require external clients to present certificates for authentication which contradicts the requirement that external clients must not supply credentials and it increases certificate management overhead.

Full AWS Practitioner Certification Question