How do I get RADIUS auth without an existing DC?

We have AzureAD and Azure ADDS. I just want simple RADIUS Auth for VPN and wifi. We don't have an on-prem DC, all of our users are specified and connect directly to Azure DS

From what I understand, I need an on prem DC and a NPS service.

On server 2019 standard, I setup AD connect and synchronized everything locally, installed AD.
I'm unable to promote AD to the DC. We want a single domain, which is already hosted on Azure AD, but when I try to add a DC to an existing domain with my azure credentials (as a domain owner and ADDS owner) I get the error:
Could not log onto the domain with the specified credential. Supply with a valid credential and try again. - since this user is the account, domain and subscription owner I don't really know why I can't create the DC. I also tried creating a new forest just for kicks, but it recognizes that the domain already exists.

Just to note, I also wasn't able to setup SSO on AD connect, it complained about not having Enterprise credentials, but I can't add enterprise credentials to the AD account users (I think these are local credentials objects?).

I'm assuming that there's a step or credentials that I'm missing, but I didn't see that step in a multitude of documents that seems to want to do this as a migration from on-prem to azure, which also isn't my usecase.