magic-link | Generate , send and validate a magic link | Proxy library

I'm looking for a method to log in a user using a link sent by mail. The Sign-in with a magic link sample policy comes very close to what I want to achieve.

My main issue with this sample is that it requires the web app to set up a certificate and host an OIDC endpoint. So the web app becomes the source of trust. What even is the point of B2C if it's not generating or validating the tokens? It seems like I'm adding an extra attack surface on our application. One of the reasons we use B2C is so we don't have to deal with the dangers of authenication. Or am I seeing this wrong?

Another option I was looking at is the OAuth 2.0 On-Behalf-Of flow. That does use B2C as the source of trust but is not intended to create user tokens. It's for authenticating one app with the parent app. Would it be a bad idea to try to use such an OBO access token to authenticate a user instead?

I have the following flow for sign in / sign up, when using sign-up:

1. Present user with sign up screen, allow them to enter email/password/name
2. Validate input, then send email (rest api) and set verification attributes in b2c custom extension properties

User then receives email with verification link

1. User clicks link from email and gets sent to a new user journey for the return trip
2. New user journey gets parameters from the querystring (email + verif code)
3. B2C validates the verif code + expiry
4. IF user is verified, they're set as verified via custom extension attributes, then sent to the (ASP.NET MVC) application.
5. Here's where I'm stuck - B2C is sending the jwt token back to the app, but the user doesn't get 'signed-in'.

Am I missing something at step 7? I don't have the "state" variable in my querystring, am I expected to build and include it somehow so that B2C and the app can communicate? I'm lost at this point. I'd post some of the b2c policy xml but not sure what would even help...

EDIT: reply to Jas:

Is that the only way (make an app call b2c for an auth request)? We have multiple apps that a user can use to sign up through b2c, so I was hoping to avoid having to make changes to each of them. Instead I was hoping that B2C could tell the app after account verification that "this user is ok".

I did previous look at https://github.com/azure-ad-b2c/samples/tree/master/policies/sign-in-with-magic-link (written by you!), but again, was hoping I could avoid having to do that work inside of each of our apps.

Here's an example of the jwt 'id_token' I'm trying to pass to the app:

id_token

Side note: Is 'id_token' the same as 'id_token_hint'? I couldn't find whether they're the same or different when googling it.