To solve my problem (unable to pass device code auth to the defender APIs due to these policies blocking authentication), I have modified the classic policy to not apply to the specific users that require API access, after confirming that these users will not be registering devices associated with intune/defender. I've seen some discussion posts (on other forums) where people have deleted the classic policies on the assumptions they are irrelevant - which I think is a mistake.