Join Devices using a provisioning package (.ppkg) in Azure AD - how does it work in detail?

For a project, we are checking whether there is a way to join the devices into AAD using a provisioning package. When creating a project with the Windows Configuration Designer under "Account Management" is the task for "Enroll in Azure AD" and "Get Bulk Token".

Here are my questions about it:

• Which account do I normally used to register the token?
• Which rights and licenses must the account have?
• An enterprise app is being created, but I still must do something with the permissions?
• Something else needs to be done with the user that is created in AAD (package_)?
• Are there hurdles in sight regarding conditional access?

I ask myself the questions because I tried it and failed with the following message (from the event log of the client which I wanted to integrate into AAD)

Client: Windows 10 Pro 21H2, Windows 10 Enterprise 1909 (same Error)

ProvXML category 'DeviceAADJoin' failed with '0x80180014' at CSP node 'AADJ/BPRT'. Provisioning failed