This is a technical forum, and licensing questions are not technical. You cannot expect any authoritative answers here. You would need to talk to a Microsoft licensing specialist.
The one question I feel confident to answer is the last one:
When is a VM that runs Always On passive? When it only contains secondary replicas and the secondary replicas can not be used to read data? Or is a secondary replica always considered being active?
If you have a readable secondary, the machine it runs on must be fully licensened. A passive node is one that can't be used at all.
Although, this may change a little bit if you have Software Assurance, as it comes with some freebees. (Overall, my impression is that Software Assurance pays off.)