After a lot of testing with configuration of the plugin and customizing the JWT token to create more dynamic roles I ended up having to write a custom version of the 'rabbit_auth_backend_oauth2' plugin to have full control over roles-to-vhost permissions.

Frustrating Azure doesn't allow for more customization as claims mapping would've worked if not for only being allowed one transformation expression/claim.