I have located the problem, posting in case it helps anyone else who is in a unique situation.
Because we are education, we split our domain for staff (O365: site.com) and students (GAFE: student.site.com); these cannot use the same domain and retain mail functionality. The non-descriptive error was referring to the domain presented with the %userPrincipalName% variable.
By using %saMAccountName% in lieu of %userPrincipalName%, I was able to pass the data through.
For testing only, a quick/dirty/insecure way to test without error checking was (in case someone needs to troubleshoot GAM):
$firstName = "%firstname%"
$lastName = "%lastname%"
$unicodePwd = %unicodePwd%"
$userName = "%saMAccountName%"
C:\Gam\gam.exe create user $userName firstname $firstName lastname $lastName password $unicodePwd
For production, I suggest modifying line 16 of the Adaxes-provided script to reflect %saMAccountName% instead of %userPrincipalName%
For reference, the account that establishes OAuth does not need to be tied to Adaxes in any way. It just needs to be a service account on GAFE with Super Admin permissions to grant API access.