@jan-tosovsky, Thank you for reaching out and I apologize for the delay in my response. based on this query you shared, I believe the best way to go about is using the on-behalf-of flow. When you go through the details of this flow you would find that initially a user has to first authentication and fetch a token for an API registered in AAD (lets say API-A) and then this API-A would be making the call to the Graph API on behalf of the user.
Initially, when the user has to authenticate to get a token for API-A, since you are using a Daemon app, you can use the ROPC flow where you can specify the username and password in the app code itself using which the token can be requested from AAD.
Now, when using the on-behalf-of flow, you would need to provide delegated permission "Send mail as a user", for graph api on API-A so that it can fetch a token for Graph API on your behalf.
Another approach you could use here to avoid having to grant these rights to all users (which would allow them to send via Outlook, etc.) would be to have your backend app use the client credentials flow to get an app-only token. In that case, the app itself would have the permission to send as any user.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.