Hi adam_c,
I would like to confirm the following things:
1. Has the tenant upgraded or during the service upgrade?
2. Do you have other on premise servers for mailbox servers or else? Could you provide the detailed on premise environment such as Hybrid server version?
3. Run nslookup to see if you can query DNS txt value to match the instruction that you need to verify the domain.
To troubleshoot the issue, I suggest you try the following steps to see if it works.
1. Run the following Cmdlet in Exchange PowerShell Console in Hybrid Server.
Set-AutodiscoverVirtualDirectory "ExSerName\Autodiscover (Default Web Site)" -WSSecurityAuthentication $True
Then try to restart the IIS service and run HCW again to see if it works.
2. Run the cmdlet: get-federationinformation on Hybrid server and Office 365 to see if you can get outputs, and run the HCW repeatedly to check the issue.
3. Double check the certificate if you set correctly.
Thanks,
Johnny Zhang