Being able to specify the ServiceAccountName for underlying Pods is necessary to unlock capabilities - such as Azure Workload Identity - provided by managed Kubernetes distros (e.g. AKS).

Obviously, the underlying runtime (containerd-shim-spin) must pick up the specified ServiceAccountName and run the Wasm workload using the identity.