Hello.
AZUREADSSOACC is introduced with inheritance flag disabled (it goes to Computers OU initially) - so hiding it somewhere and delegate at OU level will not work. Direct delegation of Read, Write, reset password, update password doesn't make sense - this will not work. You have to delegate Write All Properties only (up to you how).
Basically https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account- >> this needs an update.
For the Azure context - you need Hybrid Admin role (I bet you don't want to use GA here).
For the script - adapt this - https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the--azureadsso--computer-account-
Remember to call Update-AzureADSSOForest with -PreserveCustomPermissionsOnDesktopSsoAccount (as you modified DACLs on AZUREADSSOACC)