So I'll share my perspective, if you have CPPM deployed then you'd never send context from the MM, CPPM can pass a lot more contextual info about the user and the device to PANW. You nailed the part about the return data flow as well, but IMO the BIGGEST story here is that we can use CPPM's role mapping to drive policy. Let CPPM do its 'thing' generate the role or roles for a session based upon all of the contextual data we look at for a user, device, location, ToD/DoW, compliance etc. etc. and then federate the role into the PANW as a PAN-TAG, TAG's then drive the DynamicAccessGroups in a PAN. This SO simplifies the security needed in the PANW in essence to the number of roles in CPPM, you should be able to have a 1:1 mapping significantly simplifying your firewall security policies.
Another way to look at this, UserId is typically driven of user-mapping from AD memberOf, these are STATIC mapping and as such are exactly that STATIC, they don't represent the 'session' or 'device'.... that's why I love the role integration we introduced like 2 years back.
HTH
One other thing we added last year was to also integrate GPVPN + OnGuard into CPPM to allow a VPN user to authN on CPPM, have OnGuard send endpoint posture then use the ROLE to then update the PAN firewall/VPN-Concentrator of the health/compliance state of the endpoint, this was only possible with the ROLE integration.
HTH