I hit this exact issue recently and seem to be able to have overcome it.
In the Enterprise appliction under single-sign on there is a section for adding in option claims, only when adding something here did it work for me. The token configuration of the app registration itself had no impact on the values passed back in the JWT.
In my case I have used the email field but called it userprincipalname as my app will be getting tokens from both Entra ID and External Entra ID of which this is the only like for like claim I could use.
I hope that makes sense but let me know if not.
