Active directory integrated auth with hybrid environment not working

We have two domains. A .local domain and a .com domain. The environment is hybrid with PHS set up with AD sync. When I go into my entra ID portal, my users are showing as the .com domain which is expected. The on premises area shows synced to the .local which is what we want.

Here is my problem. We host websites and in the web.config we have a connection string. We would like to use Active directory integrated authentication inside the connection string. For this to work we use a user in the application pool identity such as: domain\issuser. That domain is our .local domain. It allows the application pool to run but when we put it into the connection string we get an error on the site saying could not discover a user realm. It appears that even though our users are synced with entra or azure AD, it still does not allow the authentication. The websites and databases are in azure. VMs running in azure and DBs are sql managed instance DBs.

What is happening: Our iisuser on our domain.local is unable to authenticate to our azure SQL managed instance DB. Since we have the hybrid setup with PHS, I would have thought this would work. The UPN for the user in Entra shows as the domain.com, and the UPN on prem AD shows the domain.local.

This is also part of why our GPO for intune is not working I believe. We are trying to add devices into intune via GPO as per microsoft docs, yet it doesnt work either. The GPO uses user authentication so I think its running into the same roadblock. When running a dsregcmd / status there is one problem we can see, that is the SSO state "AzureAdPrt : NO" Then below that it shows the error description, tenant domain.local not found.

How do we solve these issues going forward? I have already tried switching the UPN to domain.com on the iisuser on prem, that doesnt work. We do not want ADFS here as its antiquated according to microsoft.