Can a group Managed Service Account be leveraged in a C# to make a call to an HTTP client?

Question

We are trying to leverage a gMSA that's been setup on the two servers that talk to each other. One is the web server from which the request is made, wherein we outline the C# code below, and the other is an API that is internal to our organization.

We keep getting a 401 when submitting the password as string.Empty, or "", or missing, or...but, of course, we get a 200 with another login that the API recognizes.

How can we use the gMSA to make the http call since the passwords are not used with a gMSA?

We've tried this:

var _client = _httpClientFactory.CreateClient("WebClient");

var userName = "web_test$"; // <-- gMSA
var password = string.Empty;
var digest = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{userName}:{password}") );  

_client.DefaultRequestHeaders.Add("Authorization", $"Basic {digest}");
_client.DefaultRequestHeaders.Add("ContentType", "application/json");

var httpRequest = new HttpRequestMessage(HttpMethod.Get, @"https://APIServer/connection");

var _httpResponse = await _client.SendAsync(httpRequest);

That doesn't work, nor does "", or completely omitting the password altogether.

Does anyone know if there is a way to "inject" the gMSA and somehow specify that the password isn't needed?

We don't want to go down the route of using a MSA due to the passwords changing, by rule of the corporate standards, and we have to go and alter code, encrypt the password, retest, etc.

The API is hosted internally but there isn't a way to alter the API; we bought a software package from a vendor. That's a constraint we have to live with.

This article seemed promising, but no dice: How can I programmatically install a system service using c# to use a Group Managed Service Account (gMSA)?