Pass validationToken in POST body for Subscription notification endpoint validation in addition to query string
A lot of webhook endpoints with various products don't parse query strings sent in POST requests. Traditionally it's expected that all relevant data in a POST request is sent in the body (and perhaps additionally some in HTTP headers), but it is quite unusual to pass data in query strings in POST requests.
Please consider also passing the validationToken in the body of the POST request for notification endpoint validation, so that Graph subscriptions and notifications can be used in more scenarios (like for example with Azure Automation webhooks which do not pass along query strings from POSTs).
Relevant links with details: