I checked the sys.login_token view but it won't help me because the Windows group in the working database is a different one than the group in the non-working one.

I managed to "solve" in the following way:

Created 4 new security groups in ActiveDirectory. Assign all members to each group.

Log off all client users, restart their computers, and restart the server for good measure.

Add the 4 groups to my database as user, one by one.

The first 3 groups did NOT work. The 4th group DID work.

Removed all non-working group users from my database.

So now I can run it with the 4th group I created ... It works but it is awkward that I need to create 4 groups before it works. I guess that's hard to answer unless Microsoft might be able to track this down. Sounds like there is some sort of internal Monte-Carlo system built in which randomly selects operational security groups ...