After researching the nature of DFS and the way it works with Entra-native devices, the fix was to simply query an SMB share directly to spur Cloud Kerberos Trust in Entra to generate a TGT for the device. Then, DFS worked properly when connected to Twingate. The long-term solution here will be to change DFS over to SMB for Entra native devices. We can still use DFS to replicate between active/passive file servers and simply use a local DNS CNAME to "switch" between the two. This would be necessary due to the lack of true HA solutions. Without the above long-term solution implemented, DFS shares will eventually stop being accessible on a frequent basis for all employees working remotely for long periods.