Both AAD and ADFS 4.0 (Server 2016) have support for JWT - normally from OpenID Connect / OAuth but also from WS-Fed (via ADFS).
On the RP side, you get a claims principal that contains some of the information that's in the JWT but it's hard to figure out the relationship.
You can see some of it via Get-ADFSClaimDescription with PowerShell.
ClaimType : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
IsAccepted : True
IsOffered : True
IsRequired : False
Name : Name ID
ShortName : sub
Notes : The SAML name identifier of the user
You can see more info. here.
So "sub" in the JWT contains the NameID and this then is transformed to a NameID claim by the middleware.