I don't think this (Azure AD Password Protection) actually implements a pwnedpasswords-style check.
It lets you upload your own custom list of banned passwords but it's limited to 1000 words. My impression is that this is intended to blacklist common words and things like your company name.
I see that Troy Hunt is now working for Microsoft so perhaps there's something in the works related to this. It seems like linking this Azure AD service to the haveibeenpwned API would be pretty straightforward.
The problem is the password change UI on Windows systems is terrible. It does not give users any clue why their password was not accepted other than "Unable to update the password. The value provided does not meet the length, complexity, or history requirements of the domain."
If you have the DS-Replication-Get-Changes permission, you can exploit dc-sync through something like mimikatz [0] to grab the password hashes out of Active Directory, so you can run your checks.
I'm using Active Directory and options for extra password checks are somewhat limited.