Hoping this is not too late but I use App passwords on my Demo environment. Here are some of the issues I've encountered:
Just to paint a picture I have been playing with 2 admin accounts (2FA) and one semi admin account. Fully deployed on O365.
* I initially configured this with User1. Not best practice to use a User account when configuring but I wanted to test changing accounts around. Through an arduous long process and cursing, it finally worked with App passwords.
* Time to swap things around! I edited the organization to configure as Administrator. The EWS Connection can be finicky and will time out with a 401 but Powershell will pass. Eventually it fixes itself. There is a KB out there for this (2440) but all it took for me was to exit the Configuration and attempt it again. I'll update if this causes backup issues but so far so good with a few tests.
* App passwords, although terrible for future setups/modifications might be the way to go for a highly secure environment. Just make sure that the address used for reporting is NOT using an app password. It really did not like my app password.
When you use an app password it throws a 5.7.60 SMTP error and I've tried multiple fixes even changing the SMTP to my "demo.mail.protection.outlook.com", port 25/587. I authenticated it against an account (reports) that does not require 2FA but has some other Admin rights on EAC.
* Probably not the right place to put this but attempting to connect to Powershell (not via Agent) to perform login tests did not work at all. I only tested this so I can attempt to understand why the Agent refused to add the organization.
I hope this helps!