Exchange does support IMAP, and it works well with Thunderbird. A lot of administrators like to disable it though, but you can't lay the blame for that on Microsoft. You can still use proxies for Exchange's protocol to IMAP and use Exchange with Thunderbird that way. The last time I did this it worked quite well, but does take a bit of time to set up.
It's quite strange to see IMAP/SMTP disabled like that, especially with 2FA having been available in Thunderbird for ages now. I'm guessing it's paranoia and not being up to date with IMAP's extensions over the years.
IMAP supports OAuth2 and if you set up an IMAP account in Thunderbird for a Google/Microsoft account, you get a standard OAuth2 popup with all the bells and whistles.
It's possible that your Yubikey/Titan Security Key doesn't get recognised by the in-application browser window, but IMAP definitely support this standard.
When the token's been retrieved there's obviously no 2FA, but neither is there any 2FA for Exchange once it's been set up.
You can do 2FA with IMAP, it's the standard setup nowadays in Thunderbird for Gmail, and I've set up an O365 account that way too. You can use OAuth as the auth method and have it work that way.
Just look at all the specialisation they had to add to work with GMail's "interpretation" of OAuth2 under threat of regular app passwords being removed by Google.
Exchange is a server you might want to connect to with its proprietary protocol. Thunderbird is only a client and Mozilla already makes it work on Windows. What would Microsoft have to do to support it that's not already done by Mozilla?
