OK…mostly resolved. The key ended up being changing authz.roles_from_myldap.userrolename: disabled to userrolename: memberOf.
At this point, I can use the AD Group Name as a backend role and successfully login. However, this appears to prevent me from setting a group name to having the equivalent permissions of the admin and kibanaserver back-end roles. I attempted to do this by duplicating the SG_ALL_ACCESS role (for admin) and renaming it, but that doesn’t appear to work. I’m opening another question with that, since this one is resolved.