Be aware that a user will need to login to WFA before you can add them to a category
This is a major limitation and can totally defeat the purpose of restricted Category login. To overcme this, I've a solution. See here.
Its a very simple workflow and works totally fine with sAMAccountName and UserPrincipalName. If you have any questions or need any variation, kindly post it on that thread.
If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.