Issuer in access token from azure active directory is https://sts.windows.net when I'm expecting https://login.microsoftonline.com

So seems that changing the acceptedTokenVersion to 2 in the manifest did change but it just took time to take effect.

And yes the audience is always the client id based on my tests in v2 tokens.