The only supported way to programmatically join a device to AzureAD is to apply a provisioning profile .ppkg file generated from the Windows Imaging Configuration Designer.

I know you are primarily interested in BrowserCore.exe but since you are all geared up for sniffing namedpipes and finding other opportunities to retrieve refresh tokens, I figure you may want to have a look at icd.exe since it obtains a refresh token using a different built in exe.

If it helps, it appears that Windows Configuration Designer spawns Microsoft.AAD.BrokerPlugin.exe to generate this token.
C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Microsoft.AAD.BrokerPlugin.exe -ServerName:App.AppXgvz9wxd0frjs1prgz5kvtcz083996jyv.mca

the BPRT request has been implemented based on the AADInternals implementation in 8c399c2