In the end I moved my validation to the ICustomTokenRequestValidator. The validation now happens in the ValidateAsync(CustomTokenRequestValidationContext context). Setting context.Result.IsError = true and populating context.Result.Error and context.Result.ErrorDescription causes the oidc-client-ts to throw an error during log in and I catch this in the SPA. This works for my purposes.

Unfortunately, the validation that I needed to do wasn't as easy as it was in the OnTokenValidated event as I didn't have the necessary information (specifically I needed access to the "id_token_hint"), so it did require some "hacks" to be able to pass the necessary information to the ICustomTokenRequestValidator