Ok, let me see if I can clear this up. There is ABM and there is MDM. And between the two, you need a Push cert, a DEP token, and a VPP Token.
ABM is all about chain of custody. There are three main topics for chain of custody: hardware, software, and identity. ABM is a contract between Apple and your business. When you establish ABM, Apple is stating that they recognize you as a legitimate business entity and, provided your purchase your Apple hardware from a DEP-aware reseller, your hardware will be associated to your business entity at time of purchase (often before time of receipt) to permit automated device enrollment. This magic starts through Apple's activation servers (you have no direct control of these outside associating devices to an MDM in ABM). In a gross oversimplification, Apple hardware can exist in two states in Apple's activation server infrastructure: retail asset or corporate asset. When an Apple hardware device starts, it must communicate with the activation servers. When it does, it is told if it is a retail asset (unassociated to a business) or a corporate asset (associated to an MDM). The behavior of Setup Assistant is influenced by this decision. A retail asset will simple progress through Setup Assistant. A corporate asset will communicate with your MDM and behave based on the definitions in your prestage policy (enrollment policy).
Software is easier to understand. Using ABM, you purchase or license software from the App Store. Pro tip: If you have 200 devices in your environment, there is a good chance you will eventually have 201, then 210, and so forth. When licensing free software, license more than you need. $0 * 200 = $0 * 500. The benefit is that your fleet can grow and you don't need to keep looping into ABM to add licenses. Get more than you think you will ever need. Your future self will appreciate your current efficiency efforts.
Identity is creating a link between ABM and your identity provider. This does not have a direct impact on your MDM unless you are doing shared iPad or you are using managed Apple IDs to enroll devices or access specific Apple ID-dependent functions. Identity is the federation (link of trust) between ABM and your identity provider (Microsoft). This was discussed in the first post regarding managed Apple IDs. Many organization I support never make it here. They see no need for Apple IDs and thus will stop at domain lock (prevent creation of future IDs using the company's domain). Traditionally, not federating made sense but Apple is expanding the capabilities and the necessity to use an Apple ID. Things like continuity, universal control, and iPhone Mirroring require devices be signed into an Apple ID. Just a few years ago, these services did not exist. Today, many users are issued multiple devices and to get the most benefit managed Apple IDs are become more relevant and useful.
Ok, primer complete. Now to your desire to implement automated enrollment and volume licensing. As I noted, to setup your MDM, you need a Push cert, a DEP token, and a VPP token. What you must understand is that you DO NOT need to use the same account for all three. In a school system for example, you may have three levels, elementary, middle, and high school. This school district has one Apple School Manager (educator version of ABM) and three MDMs, one for each level. The IT directory may have the credentials for the Push and will manage that annually on each MDM. However, in ASM (ABM), the director creates sub-admins for each school. They each has access to their individual VPP token and able to license software for the needs of their individual school level. Thus, three additional IDs are used for VPP (note, you must created locations to have more than one VPP token - do not try to use one token on multiple MDMs).
This means that in your case, using user@business.com to manage the Push cert while using user@business.appleaccount.com to access and import your DEP and VPP tokens is completely legitimate and very common. The IDs on these items DO NOT need to be the same.
Next, the annual refresh. Please understand the Push is the critical item. Never, ever, ever, allow it to expire and always use the originating ID to RENEW the cert. This is critical. Failure to renew the Push cert can result in total loss of control of your environment.