EnforcePasswordChangeListener redirects user to password change page, but it is invoked after symfony's Firewall listener which has higher priority. When the user clicks on link to page which they don't have permission, access denied exception will be thrown before EnforcePasswordChangeListener run.

Simply changing priority is not enough. Before firewall starts we cannot use $authorizationChecker->isGranted() and we have no token. Maybe we can also listen for kernel.exception ?

I think we can add checks in the SecuredManager class after it gets merged, that will assert user does not need to change his password. If he does, access to all elements would be restricted.