@Sean Byrne
Thank you for reaching out to us. As I understand you are trying to configure AnyConnect VPN with Azure AD, during the process you got this error AADSTS700016.
AADSTS700016 - This means the application you are trying to access does not exist in the organization you are signing into or I would say the AppId of the application (sent as client_id) sent to Azure AD is not valid. Double check this is the correct AppId.
AppId is not the same as the Applications Object ID, Service Principal or also called Enterprise Apps Object ID.
saml idp [entityID] configuration under the ASA's webvpn configuration does not match the IdP Entity ID found in the Azure AD metadata.
Let me know if you have any further questions.