If you have OnPrem mailboxes in a hybrid Exchange Org then you need to use EWS to access those OnPrem mailboxes as you have already found the Graph support https://learn.microsoft.com/en-us/graph/hybrid-rest-support the Outlook Rest endpoints have also been depreciated https://learn.microsoft.com/en-us/previous-versions/office/office-365-api/api/version-2.0/use-outlook-rest-api
Hybrid Modern Authentication will work in EWS as long as it's been configured https://learn.microsoft.com/en-us/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-worldwide
In EWS to use Hybrid Modern Authentication you just request a Token from Azure with the audience of your OnPrem EWS endpoint, if your using the client credentials flow in the Graph you can also use that in EWS using a scope like https://localews.endpoint.com/.default or if its a delegate flow https://localews.endpoint.com/EWS.AccessAsUser.All. You do need to make sure the permission are added and consented to in you application registration like https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-authenticate-an-ews-application-by-using-oauth
If you just want to check if hybrid Modern Authentication is enable on the local EWS endpoint you can do a blank bearer request on the EWS endpoint eg
public void CheckForHybridModernAuthenticationv2(string ewsUrl)
{
using (HttpClient client = new HttpClient())
{
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "");
var authTestResult = client.GetAsync(ewsUrl).GetAwaiter().GetResult();
foreach (var wwwAuthHeader in authTestResult.Headers.WwwAuthenticate)
{
Console.WriteLine(wwwAuthHeader.Scheme);
Console.WriteLine(wwwAuthHeader.Parameter);
}
}
}
What you should get back in the wwwAuthHeader is something like
both the authorization_uri and trusted issuer is telling you that its ready to go with Hybrid Modern Auth