Seems to be by design.

When using AD with LDAPS no session authentication is possible, that is the feedback from the support.

The prerequisites for session authentication is that the vCenter is "joined" to the AD.

Will be nice when such informations will be written more clear in the documentation or in several KB articles, for example here: Deprecation of Integrated Windows Authentication (78506) (vmware.com)