Symptoms
Client uses the SharePoint Members group and assign Workflow Start rights to a process.
Inside the SharePoint Members Group they assigned the "All Users (Membership)"
Each user attempting to start the process receives the following error:
4408 USERNAME] from 127.0.0.1:7 does not have rights to Start Process PROJECTNAME]]PROCESSNAME]
Diagnoses
Upon investigation, the "All Users (Membership)" entry in the group is defined as "c:0!.s|forms:membership" and does not explicitly reference AAD/SP accounts.
Because of this, there is no reference for Appit when it leverages the group to assign permissions to the specific AAD/SP users, so no permissions are being assigned
Resolution
The client indicated that they worked around this permissions issue by searching for a group called "all" in the workflow context and added it to the workflow permissions.
I have created a bug for investigation.