First you have to know the fact that accessing ADFS 4 using REST Web API is best implemented using OpenIDConnect on top of OAuth2, because authenticating Web API thru ADFS 4 requires OAuth2 for the authorization.
OAuth2 and OpenIDConnect (often called OIDConnect) are known standards, although these standards don't require JWT as part of authorization token.
ADFS since ADFS 3 use and require JWT token for OAuth2, therefore you already correct on using JWT as token.
The ADFS since ADFS 3 has full support of OAuth2/OIDC, this includes grant types of implicit grant, code token, and the one that you want to implement of having username and password.
The grant type of passing username and password as part of the authentication is called "resource owner credential". This is not recommended, because it is inherently less secured that code grant and implicit grant.
If you want to have username and password to authenticate, then you have to understand that this means you cannot use recommended authentication/authorization for web API. It is common and best practice to use code grant type for Web API.
Please consult this official documentation of ADFS for developer:
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios
UPDATE 1:
You are asking about what to put in your controller. No, you can't put authentication and authorization of OAuth inside the controller.
Yes, you should mark the controller with attribute of [Authorize] but this will only mark your controller class that the web APIs are required to have authorization. The real authorization code for OAuth is always set up in the Startup.cs, inside the ConfigureServices method.
For more example, look at this code sample of MS Identity in ASP.NET Core from Microsoft:
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2
especially this:
https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/1-1-MyOrg/Startup.cs#L24-#L47
