Long post with a lot of information..
I think the best option is to go with MR46 AP's to start with, since they are running the 802.11ax standard aka WiFi6. Check out the latest MX-firewall series X5, like MX85 and MX95.
Also have a look at the MS390 I think it will leverage a lot of automation that you are looking for. Otherwise MS225 will do the work for 802.1x that you are pointing out.
I would go with a full implementation of 802.1x with EAP-TLS based authentication, if you have a RADIUS-server like Cisco ISE that can handle the authentications and authorizations. Let the RADIUS-server pass on the correct VLAN for the device or user that is connecting to the network.
On the first question: Use the MR accesspoint as the Authenticator, it's the IP-address of the MR that the RADIUS-server get the requests from. The port connected to the MR will be configured as a TRUNK, so the MR will let the clients out on correct VLAN based on the reply and information from RADIUS-server (if I recall correct).
Not sure if RADIUS server like ISE is fully compatible with Azure AD at the moment, I think you will need to go with like ISE 3.0 or ISE 3.1 to get the user attributes.
Hope this will help you..