I found a solution I think, it's a missing line in the sssd.conf file (at least it was for me).
In the auth.log you will see entries like the following when running Invoke-VMScript with an AD account.
Mar 26 19:31:02 ubuntu1 VGAuth[333]: pam_sss(vmtoolsd:account): Access denied for user lucd@local.lab: 6 (Permission denied)
Turns out that you need to specify in the sssd.conf file the following
ad_gpo_map_batch = +vmtoolsd
Restart sssd with 'systemctl restart sssd', and now the Invoke-VMScript works with an AD account.
The auth.log now shows
Mar 26 19:53:05 ubuntu1 VGAuth[333]: pam_sss(vmtoolsd:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=lucd@local.lab
Mar 26 19:53:05 ubuntu1 VGAuth[333]: vmtoolsd: Username and password successfully validated for 'lucd@local.lab'