We resolved this with the help of Mendix Support. They recommended a couple of config changes:
1) Set the value of the DeepLink.LoginLocation to /sso/login?f=true&cont=, so you get redirected to the correct login handler
2) Set the com.mendix.core.SameSiteCookies custom runtime setting to Lax, so the session cookie is sent to the Mendix runtime after a successful sign in with the IdP.
That got it working for us. Your mileage may vary.