Programmatic access from a service account to a Google IAP protected resource denied with invalid signature error

I tried your code, and I found that it doesn't work with google.golang.org/api v0.23.0, but it does work with google.golang.org/api v0.24.0 (latest one at the time of writing).

It is indeed a bug, the release notes mention the following:

When provided, use the TokenSource from options for NewTransport. This fixes a bug in idtoken.NewClient where the wrong TokenSource was being used for authentication.

Interestingly, 0.23.0 is sending a token signed with the service account's private key with the following claims:

{
  "iss":"[email protected]",
  "aud":"",
  "exp":1589596554,
  "iat":1589592954,
  "sub":"[email protected]"
}

and 0.24.0 sends a token signed with google's private key. (internally the previous token is exchanged for a google-signed token)

{
    "aud":"xxxxxxx-xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
    "azp":"[email protected]",
    "email":"[email protected]",
    "email_verified":true,
    "exp":1589596508,
    "iat":1589592908,
    "iss":"https://accounts.google.com",
    "sub":"11524xxxxxxxxxxxxxxxx"
}