Microsoft
Microsoft
Microsoft
Authentication traffic uses TCP port 443 so are not possible to split out via unique port. You'll find the URLs in question in row 56 of the URL/IP service. The specific authentication URLs are login.microsoftonline.com, login.microsoft.com, login.windows.net. Ensure these are sent down the VPN tunnel to the proxy or similar if you want to ensure they are sent to Microsoft via your corporate network.
In terms of the conditional access rule, if you only split tunnel the optimize marked traffic then the auth traffic will continue to arrive at AAD from your corporate network and the rules you've set for that scenario will continue to apply. i.e when the user requests a token, the request is routed via the on premises environment and thus the policies applied to that scenario are applied.
As for IPV6, as these auth endpoints (the three listed above) do not have IPv6 addresses assigned to them the client cannot/will not attempt to connect to them over IPV6, rather it'll use IPV4.