Both @AlbertoCastro and @RedBeardDev are correct here, and I believe that is exactly the point of the question @MrJ is asking: Both work, so which is considered "best"?
I would advise a customer this way: Both paths get you to what you want: the real question is who is administering the users?
In a typical small organization (let's say a few hundred users or less) the group that administers Power Platform are the same folks creating AAD accounts and setting up other access as well. In a case like this, the question matters a lot less because it is one group of admins and those admins can pick whichever pattern works best for their workflow and the security granularity of the organization.
In a large enterprise, however (thousands, hundreds of thousands?) an approach like this is totally unworkable. There is a group somewhere that administers AAD accounts, different folks entirely that do PPlatform, and still others that do whatever other apps and services users need. When this happens, splitting licensing away from access away from identity is a recipe for disaster. This is the reason the association between Security Groups and Environments was created in the first place, and why earlier this year they made it a default choice. The assumption here is that BOTH license and access are controlled by Security Group membership so allocation can happen all the way up at the top - the Admins controlling AAD - so we get back to a pattern where only One group has to control it and it is harder for individual users to fall through the cracks.
So, to make a long answer much shorter, it depends on your specific environment and use case, but in general, administering user access and licensing up at AAD is the preferred approach (I'll stop short of calling it 'best practice' because small orgs can still find lots of value in the granularity of multi-level control).
