The problem ended up being twofold:
1) We had the EF context in a separate project from the web project. I had to add the Microsoft.Azure.Services.AppAuthentication package and config changes to enable the SQL authentication provider to the project containing the context and migrations.
2) After resolving (1), username/password connection strings would work again even with the auth provider registered however Azure AD token authentication still didn't work with the EF package manager console tools. This ended up being due to a dll (Microsoft.IdentityModel.Clients.ActiveDirectory) failing to load due to a version mismatch. I made both projects use the same version of this package and corrected binding redirects and then AD authentication worked.
The key was that Get-Migrations did not provide any error output - it just said there were no migrations. However, running Update-Database was much more enlightening as it actually provided an exception that indicated what was failing in the authentication.
I believe the issue revolves around the fact that the application was working correctly based on the web application projects packages/configuration whereas it appears the EF cli tools were using the other projects DLL directly, with the web.config from the web project, which opened it up to inconsistency.
thank you to @ajkuma for the assistance