AVD and AADJ is a newer and lagging scenario which still has some gaps that we are working on closing. Thus, for the time being, HAADJ+AVD is still acceptable particularly since AVD is much more flexible and easier to manage when it comes to provisioning as compared to actual, physical endpoints.
Azure ADDS is not a lift and shift of on-prem AD to Azure and is meant more of a last resort to lift and shift "legacy" on-prem apps to be hosted in Azure that have a hard dependency on ADDS and can't be easily modified (or modified at all) to use another IdP for authentication or authorization. Azure ADDS also lacks many capabilities when it comes to end-user endpoints like group policy.
Just to reiterate as well, authentication always requires line of sight to an identity authority to issue tickets or tokens. In the AD world, that's a domain controller. With older protocols like NTLM, an application could authenticate on your behalf, but this is attack vector just waiting to be exploited and is not generally a characteristic of more modern auth protocols like Kerberos (from memory, it is technically possible in kerberos, but not enabled by default and even when enabled, it has to be enabled in a very tightly constrained manner).