For what it's worth, this is a very, very, very longstanding limitation of the ROPC flow with the Microsoft Identity Platform. ROPC is an incredibly poor choice for this purpose. A much better approach would be the client credentials grant which can still be used with the existing codebase for interacting with the Exchange Online API.
The ROPC flow defeats one of primary purposes of OAuth2.0 which is authorizing an app to access your data without giving it the username and password. You're basically doing basic auth to get an OAuth2.0 token.
Solid references on why you shouldn't use ROPC
https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
https://www.scottbrady91.com/oauth/why-the-resource-owner-password-credentials-grant-type-is-not-authentication-nor-suitable-for-modern-applications