I though I read somewhere that devices running recent firmware are no longer using udp 123 for ntp. They are doing ntp inside next-tunnel. Can't find info about it tho.

Possibly so - another location to reference is HELP > Firewall Info which shows UDP 123.

I don't see NTP queries being made from Meraki devices over the public Internet - so I believe this is correct.

About 2 weeks ago I had a customers AnyConnect SAML configuration break because of time synchronisation. The time it was syncing from the Meraki NTP servers was around 100s out. SAML allows for a time error of 30s.

Support wasn't able actually to do anything. I was hoping they could point it at some different NTP servers, but nope. It can only use the internal Meraki time servers.

After enough reboots I guess it locked onto a different internal NTP server with the correct time.

That is the only time issue I have ever run into.