The question is whether someone has deployed this in real life and if there are any caveats or restrictions. What I am also trying to find is would MAC OS or IOS users be supported or only Windows-based endpoints.
If you're using user credentials it would not matter what device you are using as long as it supports EAP-TTLS/PAP on it's supplicant.
I'm not too familiar with windows stuff and AAD but if you can add machine credentials other than windows OS pc's in AAD then I don't see a reason this wouldn't work.
The flow from what I have read is as follows. Your supplicant provides the user or machine credentials depending on the configuration via the EAP session to AAD. Then for the authorization part, ISE makes an ROPC call to AAD to get the group member ship of the user to use in the authorization rules.
EAP-TTLS is quite widely supported but you would need to test before going into production with that. I'm not sure about MFA however keep in mind that MFA is not something you want to enforce for wireless and wired network access since every time you roam you may have to approve your connection of you're not doing a fast roam. That would be a usability nightmare 😉
For VPN MFA is certainly a must have but the config in ISE for VPN is not something I have tried yet.