External (guest) users can't access my registered application

Based on your description, this looks like an account type and authorization endpoint mismatch.

First, check the Supported account types in your App Registration under Authentication settings. If the application is set to support only accounts in your organization, personal Microsoft accounts will not authenticate correctly. Even in B2B scenarios, if an external user signs in as a personal account instead of as a guest within your tenant context, the token may be issued in a different realm and cause redirect failures.

Second, review which authorization endpoint your application is using. If it is using the common endpoint, the identity platform decides dynamically which tenant to authenticate against. In guest scenarios, it is generally more reliable to use the tenant-specific endpoint to ensure the token is issued by your directory.

Third, verify the Redirect URI configuration. A 404 after authentication usually indicates that the redirect URI does not exactly match what is registered in the application settings. The scheme, domain, path, and even trailing slashes must match exactly.

I would also recommend decoding the ID token and reviewing the issuer claim. If the token issuer does not match your tenant, then the authentication flow is resolving to a different account context, which would explain the redirect issue.

Important question: are the external users properly invited as B2B guests in your tenant, or are they signing in directly with personal Microsoft accounts? That distinction changes how the token is issued and validated.