Microsoft
MicrosoftEinmalIM : you wrote "In the beginning we had an issue with RERs not firing, when we started with Azure AD apps and Sites.FullControll.All. So we allowed our AzureAD app on the tenant level to access all sites by using tenant-admin.sharepoint.com/_layouts/appinv.aspx. That was OK to access SPO by APIs but not to fire the RERs. We have to add our app to the specific site as well with tenant.sharepoint.com/sites/site/_layouts/appinv.aspx. On appinv.aspx we followed the documented steps and use the clientId of the Azure AD app. With that permission entry the RERs started firing" and that's exactly what I was referring to. Whenever you use appinv.aspx in the background you're creating an Azure ACS app principal for that site and that's what makes the RER's work...and that's also the reason why they stop working when Azure ACS is turned off. Before calling an RER SharePoint needs to have a valid credential that is allowed to make the call, this credential is then passed into the RER allowing the code in the RER to setup a ClientContext and call back into SharePoint. When purely using Azure AD this does not work and is not supported.
When you say "As an alternative to appinv.aspx for giving Sites.Selected permissions per site", is that something you've verified works without that appinv.asxp was used once on those site collections?