Thanks. Changing the group to be universal now shows them with members, which makes sense since I’m now querying the global catalogue as opposed to the domain controller.
But I guess I’m still missing something. I thought the idea was now only members of the xmpp* groups should now be authorized. But it still looks like everyone in the forest is authorized.