This fixed the issue (thanks to Mendix Support):
In Mendix 9 we changed the value of the SameSite setting for all cookies to
Strict. This means that cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites. Hybrid apps are running on file:///android_Asset_www.index.html, which means that any request to the Mendix runtime will be considered a cross-site third-party request. This will prevent the hybrid app from sending cookies to the Mendix runtime, as this not the same site. That means that the hybrid app will not send the session cookie, required to authenticate the user. That in turn will result in all request to resources not available to non-anonymous users will fail.
Setting the value of the com.mendix.core.SameSiteCookies runtime setting to
None would resolve that issue. Please note that this less secure than setting it to
Strict, which is one of the reasons we decided to deprecate hybrid apps in Mendix 9.
After that we needed to add the CSS files of Mendix 9 manually with the ReconfigureStylesheet widget/HTML snippet