Well, you actually are - so as to tell the authentication callback anything about the action that is to be processed, ConfD would have to parse the message first.
I don’t think ConfD has recommendations here, that’s not really ConfD’s area. The interactive interfaces CLI and WebUI give some options (note though that they still apply only before the password has actually expired, not after that), but in case of NETCONF or RESTCONF ConfD is restricted by the protocol specifications. One option I can think of is using NACM rules: perhaps your AAA system may temporarily reassign the user with expired password to a user group where the only allowed action is to change the password.