Directory.AccessAsUser.All is a delegate permission, it requires you to connect in the user context, whereas your Connect-MgGraph cmdlet uses CBA/application login. This is also the reason why you don't see the Directory.AccessAsUser.All scope listed in the output of Get-MgContext.
Application permissions are not supported for the password reset operation, as mentioned in the official documentation. So, connect in the user context, with an user that has sufficient permissions, and the query should work fine.