To sign into the domain, your VPN goes up first. To sign into the laptop, you sign in cached and then fire up the VPN. There is a reason that VPN-first systems like OpenVPN, Pertino, ZeroTier, etc. are so important. They let you do things like central revocation because they always get updates from AD.
Correct. this is the problem. always.
How does that work when they are on a wifi connection that doesn't connect until after they log in to their laptop?
You have cached creds for that. Log in, connect, reboot.