Thank you both for checking! Just had a better look and this issue is frequently discussed on the forum. (My guess is that an HTTP request is triggered when a user attempts to upload a file, and that request isn’t picking up on the Azure Active Directory authorization headers.)
Not sure if this works, but a user in one thread recommends the following configuration in the .streamlit/config.toml file:
[server]
enableXsrfProtection = false
enableCORS = false