I have the same situation for a client install. I have the AD authentication working from the RIM proxy (workgroup) but the user account is created in Qlik Sense with the Workgroup name not the AD name. If the same user logon to the Central node the user account is created with the AD name (domain). I have duplicated accounts and a licensing problem.
Where you able to resolve this?
I resolve this issue with one Read only domain controller into the DMZ. Only this server have the AD connection from DMZ to Backend LAN. After I insert the DMZ server in the domain. If you want you can to user an external autentication module But it not seem to be the your problem.
Have you the same prefix in the virtual hub?