Reason for application user getting disabled unexpectedly:

When creating application user if you've entered user name of an existing user in the tenant, the application user will be treated like a regular user. Regular users can get disabled when they lose a license or get removed from environment security group, sign-in disabled, etc.

In order to avoid running into this problem, make sure to avoid mixing regular user name with application user name.

Recommendation: User Name and Primary Email fields should not match with regular user in the tenant to avoid this problem. You can prefix "app" to the primary email and user name.

(Technical details: Application Users and Regular Azure AD users are stored as same SystemUser entity in CDS causing this conflict. There is a backend design change in progress to help customer avoid this issue. Until then this is a workaround).