And a summary of those labeled, numbered steps:

1. The device queries AD to find the SCP, in order to obtain AAD tenant details.
2. The AAD tenant details are returned.
3. The device creates a self-signed certificate and updates the userCertificate property on its own computer object with that info.
4. AAD Connect after the userCertificate has been populated, up to 30 minutes later) syncs the AD computer object into Azure AD.
5. The device (repeatedly) tries to register with AAD.
6. When AAD can find a matching device (synced by AAD Connect), the registration will succeed and AAD will provide a device certificate back to the device.

After this point, any AD user that signs into the device will get an Azure AD user token (a primary refresh token, or PRT) that can be used to authenticate with Azure AD-based services.  If the user signed in before the registration completed, then they either need to sign out and back in again, or they need to lock and unlock the device – either of those will ensure the user gets a token.

I would also remove the device from Autopilot if you are trying from AD -> AzureAD