Azure-cli: Cannot grant admin consent for an app role permission

Describe the bug
When adding an app role permission (az ad app permission add --id $daemonId --api $apiId --api-permissions "$appRoleId=Role") the output says I have to run az ad app permission grant which fails with a 404 Not Found.

Running az ad app permission admin-consent also fails, but with a 400 Bad Request.

To Reproduce
Commands run in PowerShell Core 7 on Windows 10.

Create an API app and a Daemon app in AD. Save their Ids in two variables

az ad app create --display-name "Demo API"
az ad app create --display-name "Demo Daemon"
$appId = az ad app list --display-name "Demo API" --query "[0].appId" -o tsv
$daemonId = az ad app list --display-name "Demo Daemon" --query "[0].appId" -o tsv

Create mainfest app-roles.json:

[
  {
    "allowedMemberTypes": ["Application"],
    "description": "Test role",
    "displayName": "test_role",
    "id": "da2a2ee5-042a-45c4-a5cb-8c9509210296",
    "isEnabled": true,
    "value": "test_role"
  }
]

Add an app role to the API app, and save the ID in a variable:

az ad app update --id $apiId --app-roles `@app-roles.json
$appRoleId = az ad app show --id $apiId --query "appRoles[0].id" -o tsv

Give the daemon app permissions to the app-role:

az ad app permission add --id $daemonId --api $apiId --api-permissions "$appRoleId=Role"

Returns the following message:

Invoking "az ad app permission grant --id c63487d1-f831-41b6-b910-d48f45407e38 --api ed6e63fb-373e-4f70-8f96-f4812729a72f" is needed to make the change effective

Running needed command:

az ad app permission grant --id c63487d1-f831-41b6-b910-d48f45407e38 --api ed6e63fb-373e-4f70-8f96-f4812729a72f

Gives the result

Operation failed with status: 'Not Found'. Details: 404 Client Error: Not Found for url: https://graph.windows.net/fb649737-372c-45d7-b09f-ea9dbc11119a/oauth2PermissionGrants?$filter=clientId%20eq%20%27c63487d1-f831-41b6-b910-d48f45407e38%27&api-version=1.6

I can see in the portal and using az ad app permissions list that the role permissions has been granted, but I still need to grant the admin consent. Trying

az ad app permission admin-consent --id $daemonId

Gives the error

Bad Request({"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"Graph call failed with httpCode=BadRequest, errorCode=Request_BadRequest, errorMessage=The application needs access to a service that your organization Justify has not subscribed to. Please contact your administrator to review the configuration of your service subscriptions., reason=Bad Request, correlationId = 98a3d2e8-9cfd-4e12-b488-0794ba5782d1, response = {\"odata.error\":{\"code\":\"Request_BadRequest\",\"message\":{\"lang\":\"en\",\"value\":\"The application needs access to a service that your organization Justify has not subscribed to. Please contact your administrator to review the configuration of your service subscriptions.\"},\"requestId\":\"adbe2136-0c5e-4e37-8d02-b1237689526f\",\"date\":\"2020-03-30T19:11:25\"}}","Data":{},"HResult":-2146233088,"XMsServerRequestId":null,"Source":null,"HttpStatusCode":400,"ClientData":{"errorCode":"Request_BadRequest","localizedErrorDetails":{"errorDetail":"The application needs access to a service that your organization Justify has not subscribed to. Please contact your administrator to review the configuration of your service subscriptions."},"operationResults":null,"timeStampUtc":"2020-03-30T19:11:25.3858982Z","clientRequestId":"98a3d2e8-9cfd-4e12-b488-0794ba5782d1","internalTransactionId":"eae485ee-e2d5-41f9-8c2b-a45f4e731e24","tenantId":"fb649737-372c-45d7-b09f-ea9dbc11119a","userObjectId":"<My user object ID>","exceptionType":"AADGraphException"}})

Granting admin consent in the portal seems to work fine.

Expected behavior
I was expecting to be able to use the command instructions from az ad app permission add without error and have it grant the necessary admin consents.

Alternatively, I was expecting az ad app permission admin-consent without error and have it grant the necessary admin consents.

Environment summary
Installed via MSI on WIndows 10 (Version 10.0.19041.172)

> az --version
azure-cli                          2.2.0

command-modules-nspkg              2.0.3
core                               2.2.0
nspkg                              3.0.4
telemetry                          1.0.4

Extensions:
azure-devops                      0.12.0
eventgrid                          0.4.3
interactive                        0.4.3

> pwsh -Version
PowerShell 7.0.0

Additional context
Using the --debug flag, this is the request that fails:

urllib3.connectionpool : https://main.iam.ad.ext.azure.com:443 "POST /api/RegisteredApplications/c63487d1-f831-41b6-b910-d48f45407e38/Consent?onBehalfOfAll=true HTTP/1.1" 400 1518

c63487d1-f831-41b6-b910-d48f45407e38 is the appId for the Daemon App.

Tried doing the rest call manually, as described in #12137 :

$daemonObjectId = az ad app show --id $daemonId --query "objectId" -o tsv
$apiObjectId =  az ad app show --id $apiId  --query "objectId" -o tsv
az rest --method POST --uri "https://graph.microsoft.com/beta/servicePrincipals/$daemonObjectId/appRoleAssignedTo" --header Content-Type=application/json --body "{ 'principalId': '$daemonObjectId', 'resourceId': '$apiObjectId', 'appRoleId': '$appRoleId' }"

But that gave the following error:

Not Found({
  "error": {
    "code": "Request_ResourceNotFound",
    "message": "Resource '3fd2caad-b0ec-4d2a-aa2e-ab142841770d' does not exist or one of its queried reference-property objects are not present.",
    "innerError": {
      "request-id": "2e7aab3a-6d3e-4ffd-b8fb-e917c870a11d",
      "date": "2020-03-30T20:55:30"
    }
  }
})

3fd2caad-b0ec-4d2a-aa2e-ab142841770d is the Object ID for the Daemon app, the app I have assigned the permissions to.

I have checked the access token being used with Fiddler and it's for my own user, not a service principal.