Actually I think I see one more SASL option missing, for the JNDI lookup you also need to set the following: -
jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
We have been considering if we need to be able to disable the local mechanism server side - I think the issues being encountered here are adding real justification that the answer is yes we do need that to be possible to be disabled for the realm used by apps at the very least.