This sounds like you need Mendix Deeplink module. When deeplinks are called, a microflow can be run, and you can have the parameters that were passed in the URL passed as parameters to this microflow. This should give you access to your authorisation code. In this case, make sure you select the “Use string arguement” and “Include GET parameters” option in the deeplink setup.
Hope this helps.
Maybe this blog can help you. The person had the same problem: https://medium.com/mendix/mendix-native-mobile-with-sso-3b86b962a899
The marketplace OIDC module covers this use case for both web and mobile apps. Users can log in using their Azure AD credentials and then you can use their access token to make authorized calls to the graph API. I expect it may be exactly what you need.
Even if it’s not exactly your use case, it solves each of the challenges you presented in your question. So, at the very least you can use it to understand how to solve for your use case.