Your experience reflects the current status of AP trackerprotection and Shelter, see How to make Advanced Privacy work with work profiles using Shelter - #2 by tcecyk
As you now have a valid token for msauth it will work with TP enabled until it expires.
Blocking the ms login domain is very disruptive. I’d probably contact MS on this for them to give the domain a clear role.