It should be possible even considering DN inconsistencies, the issue here seems to reside in the way usernames are translated into DNs during the authentication.

Instead of relying on a dn pattern, try via an LDAP lookup.

The key is to set dn_lookup_bind to do the lookup before the user authentication. This way, the LDAP plugin will bind with these credentials first to do the lookup, then bind with the matching entry's DN to do the user login :

auth_ldap.dn_lookup_attribute = userPrincipalName     # or sAMAccountName
auth_ldap.dn_lookup_base = dc=example,dc=com          # restrict to user ou if any
auth_ldap.dn_lookup_bind = {managerDN, Password}      # AD manager account

# auth_ldap.user_dn_pattern should be left unset to be sure the lookup actually searches 
# for a match in dn_lookup_attribute and not for a built-up dn. 

I mentioned credentials from an 'AD manager' but it could be any account with sufficient permissions to perform a search on the targeted user entries.

Given that configuration, when the plugin comes to the authorization process, it can properly handle the group membership lookup using the actual user dn.

Edit - Despite what the documentation states about auth_ldap.dn_lookup_bind

To do the lookup before binding, set auth_ldap.dn_lookup_bind to a tuple {UserDN, Password}.

it may be safer to explicitly set :

auth_ldap.dn_lookup_bind.user_dn = <UserDN>
auth_ldap.dn_lookup_bind.password = <Password>
# (OP was required to do so to make it work)