I got it sussed eventually by reading through the ‘Status Checks Change Notice’ emails from my MIAB [about which more in another post!] and seeing entries for a missing MTS-STS policy for each of my other domains.
So, I’ve now created an mta-sts.domain.com sub-domain for every domain my MIAB is serving email for and all the appropriate DNS records and my MIAB status checks are a lot happier. Though I am still getting that ‘unexpected content’ error for each one. However the other external checkers I’ve tried have given everything the green iight. So I’m asuming @openletter’s theory is right anf that MIAB is just complaining because my mode is set to testing.