In case this helps someone else, I already had TLS1.2 enabled so running the PS scripts suggested in the other comments made no difference for me.
I contacted Microsoft support and was offered the following solution which worked;
- On your new AADC server disable Password Writeback (Location of the setting - https://learn.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback#enable-password-writeback-in-microsoft-entra-connect).
- Then try disabling Staging Mode again (worked for me at this point).
- Re-enable Password Writeback.