We made some really good progress on this today - we were actually correct with the UID=0 issue. We tweaked some permissions, and that helped, but it didn't solve a thing.
So I added the following code to smb.conf:
idmap config [domain.name]:backend = ad idmap config [domain.name]:range = 10000-199999999
And we changed the range for the idmap config default to 3000-7999.
Our UIDs are now being pulled correctly and providing basic access, but the GIDs are now where we struggle.
The user is being placed in the primary GID of Domain Users (I used adquery to verify the GID), but the group that we apply permissions to is not Domain Users, so it is not providing access for that reason.
Currently trying to narrow down how we can get it to see more AD groups for access. Will continue to post updates if we figure it out.