> fails with the same errors as reported initially. So running manually in interactive mode works, but starting via systemctl doesn’t

One difference I can think of between running the deamon on the foreground versus running as a service is SELinux context. Did you check if maybe there are some AVC denials if you run sssd as a service?

I'll check the denials - I'm not fully up to speed on AVC denials and selinux, but some googling suggested this command

# ausearch -m avc -c sssd
<no matches>

I noticed about an hour ago that the SSSD 1.16 COPR had been updated earlier this AM. I resync'd our repos and have updated to 1.16.1_2 and everything is working fine now.