We're using the Azure AD On-Behalf-Of flow for connecting a user to several services through a single API gateway. Now we'd like to add another service (Nextcloud, synced through LDAP) which only supports SAML 2.0 and no oAuth2.

Is it possible to somehow convert an oAuth-Token into a SAML-Token, maybe through an Azure AD API? Or is there some other way to connect this service I maybe haven't thought of?

This is not possible currently. Also the authentication libraries (ADAL/MSAL) do not support SAML tokens