Thanks Alexander.
I did associate the IDP with the user account, and allowed that user to use the idp auth type.
That troubleshooting section helped, I was able to find this response after increasing the oidc debug level:
{"error":"unauthorized_client","error_description":"client missing grant type authorization_code"}
I'm unsure if this is something I need to change on the IPA or zitadel side.
The clients do support the krb5-preauth, they are all Fedora 39, fully updated.