From my understanding, this was caused due to your business account session did not get logged-out completely prior connecting to your VPN server, which requires you to login with your client-business account.
The workaround which you're pointing out is the actual solution for this. Ideally, when you've logged-in to MS cloud resource (Azure, Office365, etc) with account-1, then either you should log-out or there should be session control enabled on the cloud resource to identify and delete you idle session to avoid this situation, because what happens is when you connect to VPN which redirect you back to same authentication server (I believe it'd be login.microsoftonline.com) as part of the SAML authentication, would make the browser to resume the session by sending your Account-1 cookie to the authentication server, if you're session is active; then you get redirected to the cloud resource and face authorization based error messages.
Now, think about the other scenario... VPN redirects to authetication server, browser sends the cookie of Account-1, auth.server would ask you to login again as the cookie is not valid anymore after account-1 log-out, and you can login with Account-2.. Voila!
