@Marcin Puwalski Apologies overlooked the error code, 8453 “Replication access was denied.”
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges tries retrieve the changes, what requires replication permission and this call is made by AAD Connect and not via DC. For this I’d say there are missing permissions: ReplicateDirectoryChanges and ReplicateDirectoryChangesAll
Would request you to verify the required permissions are in place for the AD DS connector account, reference: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#:~:text=AD%20DS%20Connector%20account%20required%20permissions%20for%20express%20settings
Refer the steps in this article https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-security/grant-replicating-directory-changes-permission-adma-service on how to give permissions ReplicateDirectoryChanges and ReplicateDirectoryChangesAll at the domain level.
if this doesnt help, lets connect offline to troubleshoot the same.