Another option is to disable ShellBridge by setting it to 0. However, this might cause problems with Office apps. https://support.citrix.com/article/CTX267071/password-field-not-displayed-for-published-apps-in-windows-server-2019
Are you asking about the system tray icon? It looks like it can be disabled. https://documentation.n-able.com/remote-management/userguide/Content/systray_enable.htm
I think the SDX config is stored in a database. You can use the Nitro API to query and configure it. https://developer-docs.netscaler.com/en-us/adc-sdx-nitro-api-reference/current-release/configuration/configuration
If you run Get-BrokerDesktopGroup <DesktopGroupName>, what do you see for AutomaticPowerOnForAssigned and AutomaticPowerOnForAssignedDuringPeak? You can set them to $true.
NetScalers (and all other machines) can route. NetScaler just needs a SNIP on a subnet that has a route to the VDAs. Yes, 1494/2598 from SNIP to the VDAs.
You should have an Authentication Virtual Server with SAML as one of the factors. Change the first factor to the EULA and then bind your SAML factor as Next Factor.
Or configure your SAML IdP to show the EULA.
Are there other event IDs in the Event Viewer?
Check Event Viewer > Windows Logs > Security. I'm guessing a User Right is being blocked by a security policy. Users need the right to access the computer from the network.
What do you see in StoreFront Server > Event Viewer > Applications and Services > Citrix Delivery Services?
Why are you using Internet Explorer?
You should install a certificate on the StoreFront server and use https to connect.