There is a label required for AKS Workload Identity (see MS docs example), that is not currently included in the AKS example.

label: azure.workload.identity/use: "true"

After adding this label to the runner template override, and configuring the service account appropriately, I am able to use AKS Workload Identity with tofu-controller to access a backend stored in an Azure storage blob, and interact with azurerm resources.

I'd be willing to submit a PR to update the example with my findings, if that would be helpful.