As shown in the below image. The Script error  'Access is denied' indicated that the custom redirect URL field is blank.

Solution:
Check and confirm: it is necessary to register the enterprise application in Azure to allow the FortiClient as a mobile/desktop application to query Microsoft Entra ID identity services. 

Enable 'Use External Browser as User-agent for SAML Login' in the profiles under Configuration -> Profiles, edit the profile -> Connection -> VPNs available to users, select Secure Internet Access -> Advanced Settings> Use external browser as user-agent for SAML login.

Identify the profile for the connected user using the below KB article: Technical Tip: How to identify the Profile and security POP used by a connected VPN user

This setting will allow FortiClient to launch the default external web browser, and allow end users to log in using the web browser instead of the FortiClient embedded web browser.

Related document:
Registering FortiSASE as a mobile/desktop application with a custom redirect URI