How can push AzureAD identities to on prem ActiveDirectory

Situation is that we have multiple sites (AWS VPCs), each with their own self-managed ADDS domains with no network connectivity between them (by design). We need to provision each sites ADDS users automatically from AzureAD identities including password writeback (passwords should only be changed from Azure).

A possible solution (I believe) is to use a cron (scheduled task) to query the Azure graphapi for a user list and provision users using powershells new-aduser cmdlets, setting user attributes to allow for Azure AD Connect password write back to ensure password synchronization.

However, the above needs considerably more investigation and seems like a custom roll your own solution requiring monitoring.

Is there a more out of the box solution (including third parties?) that allows AzureAD --> on premise AD user synch?

There is no out of the box solution that could meet your needs. Your options are: to re-think your design, do custom development (scripting), or purchase third-party solution.

Third-party solutions which might cover you needs fall into Identity Management (IDM) or Identity Governance and Administration (IGA) categories. You can find profucts easily using your favorite search engine

BTW

setting user attributes to allow for Azure AD Connect password write back to ensure password synchronization

This is not gonna work, because Azure AD Connect synchronizes users and passwords from AD to Azure AD, but not the other way around. Hense, password writeback only works when the source of the account is AD