I was actually noticing this the other day but on Macs without TouchID. I'm going through enrolling all DEP Macs into JAMF and ran across issues if they enter their creds incorrectly at the setup assistance stage. Each incorrect user attempt is seen by AD as 3 failed attempts.

I've expanded on it here

I upped my lockout threshold to 10 attempts in 1 hours which equals 3 incorrect attempts by a user and hopefully they get it right on the fourth go

Scratch that... it seems to happen even if I login from a lock screen with my password...
However if I uncheck "Unlocking your mac" I can log in from a lock screen without issue.

Seems to be related to this issue:

https://www.jamf.com/jamf-nation/discussions/21320/sierra-ad-account-lockout-when-setting-up-icloud

I saw this exact issue when unlocking using an Apple Watch. 2 bad password attempts to AD, and it bypasses locked out account status.

I can confirm I see the apple watch behavior as well.

It's the same problem as the other thread. Any password policy will get locked out if you use your AppleID in the App Store, iTunes or iCloud. AD will be locked if you bind to AD.

What about Single Sign-On? Can't you have jss sync the AD account to the Touch ID through Single Sign-On???

http://docs.jamf.com/9.93/casper-suite/administrator-guide/Single_Sign-On.html

I'm seeing this behavior without using an AppleID at all. On macOS 10.12.2 my account gets locked out any time I try to unlock the Mac after waking from sleep or screen saver. I can login successfully, engage the screen saver and then when I try to log back in I am immediately locked out.