In the Azure application the correct value for "Sign On URL" is {moodlesite}/auth/oidc, so you had that right the first time.
You also don't need to create an account in Moodle manually - in fact it's better if you don't. When logging in using OpenID Connect, Moodle will create a user if a user doesn't exist for the Office 365 user, and set up the correct data to understand the connection. It's based off more than just the username so creating a Moodle account manually with the same username will not immediately link it to Office 365.
Try setting the sign-on URL back to /auth/oidc and set the System API user again - let me know how that goes.