Yes, my testing from yesterday is also showing that it's related to the user account. Another user account was able to enroll the same devices which are failing for the affected account. Microsoft support did a comparison for the accounts and said there is some user role difference but currently if you go to Azure AD portal -> Users -> role assignment, it shows an error message, that the roles can't be read. So, kind of stuck there and honestly I'm not very confident that this will make a difference.
MS support also had me double check the device count limit per user and remove outdated devices from the affected user account. (didn't make a difference)
What did they do?