How can I disable users in "domain admins" group from running sudo?

I have no experience with SSSD, but since it seems to mimic Active Directory, I can draw some parallells to Microsoft Active Directory

In the Microsoft world a Domain Administrator is a "superroot" user, aka. a user with admin/root privileges on every single machine in the domain, if not the whole forrest. So them having root access to any machine is quite normal. Normally you create some secondary admin group where you restrict some of the more dangerous privileges and add most of your sysadmins there, and only give Domain Administrator access to a few senior sysadmins. There's the even more dangerous account: Administrator, that's the built-in Administrator account for the whole domain, which some people quite commonly save the password for on a piece of paper and lock it in a safe or something to that effect.

If this was a Microsoft scenario, I'd tell you to move your admins to some other group, but to not try to change the permissions of the Domain Administrators group.

Also note that commonly you never add personal user account to these Domain Admin groups, you create secondary admin users for your sysadmins and give those access, and you then make sure that the sysadmins use their personal accounts for personal tasks and admin accounts for admin tasks.