When testing the SSO connection to AD over our VPN, if I disconnect and then later reconnect to our VPN, the SSO extension can't find the network. If I run a kinit command in terminal, this seems to resolve it, but I can't have users constantly do this because we're all WFH.
I had this happen for a while on Big Sur (and can confirm it was working flawlessly on 10.15.x). Currently using macOS 11.2.3 and it seems to be working properly now with disconnect/reconnect properly showing that it's connected to the network. Does your VPN add your domain as a search domain? Is it split tunnel or full tunnel?
I realize this topic is long buried, so not sure if this will be answered, but...
Might I inquire how you solved the routing issue, if at all? I'm running to the same issue OP is and we utilize a split-tunnel where the VPN is only for corporate access. We provide no internet access via VPN. In my testing I found that my Mac can ping other VPN-connected clients just fine, but cannot route further into the VPN network. However, if I had a route manually with our corporate network CIDR address routing works perfectly and I can get Kerberos SSO to work over the VPN.
Unfortunately the route is not persistent and will clear as soon as the VPN disconnects.
I found it odd that macOS doesn't seem to handle routing the same way that Windows clients do (our VPN is provided via Windows RRAS). When I check the routes between macOS and Windows clients they have identical VPN routes, yet the Windows client can seem to route fine over the VPN while macOS cannot. At least not without me adding the additional route.
If you haven't already, make sure your VPN configuration is adding a search domain that matches the Kerberos SSO extension so that it knows to send queries for that domain to your internal DNS server over the VPN.