GreigMitchell - glad you found it helpful.
SMTP is more complex, I agree. The first key to figuring this out is understanding that the Organization-wide switch (SmtpClientAuthenticationDisabled) is overridden by any per-user setting. So, if you disable it at the tenant level, but enable it on a per-user basis using Set-CASMailbox, and the user will be able to send mail. Now that switch/control allows the user of basic and OAuth. Both auth types are either on, or both off.
Then there's the auth piece. Auth Policies only affect the user or apps ability to use basic. There is no switch for OAuth.
So, if you want a single account to use only OAuth, you would set the Tenant Wide setting to True, then use Set-CASMailox on the single user account and set the value there to False. Now that one user can submit mail via SMTP.
Then create an auth policy (or use the org default) to block basic auth for SMTP. Now no-one can send mail via SMTP and use basic. But that one account can use OAuth to send mail.
Personally I think whichever person decided to set the PowerShell parameter up so it's a negative (My brain can't handle blocking it means setting it to True) should be punished, but it's what it is.