As confirmed by Microsoft, the most important domains to whitelist are
clientconfig.passport.net
for sign-ins, creating new accounts, and recovering existing Microsoft accounts and
v10.events.data.microsoft.com
which is used for Xbox Live achievements.
There are several other domains you may want to whitelist as discovered by the community.
attestation.xboxlive.com
cert.mgt.xboxlive.com
ctldl.windowsupdate.com
def-vef.xboxlive.com
device.auth.xboxlive.com
eds.xboxlive.com
help.ui.xboxlive.com
licensing.xboxlive.com
notify.xboxlive.com
settings-win.data.microsoft.com
title.auth.xboxlive.com
title.mgt.xboxlive.com
v10.vortex-win.data.microsoft.com
www.msftncsi.com
www.xboxlive.com
xbox.ipv6.microsoft.com
xboxexperiencesprod.experimentation.xboxlive.com
xflight.xboxlive.com
xkms.xbolive.com
xsts.auth.xboxlive.com