Hi @adam20,
Thanks for following up.
I have just tested the login flow with the Password Rotation built-in Action and can confirm that everything is working as expected.
Whenever a user tries to log in with an expired password, they get redirected to a URL like the following: https://{yourDomain}/?error=access_denied&error_description=Your%20password%20has%20expired.%20%20Please%20reset%20it.&state={state variable}
Here is a screenshot of a network trace: 
This is by design, and this requires the user to restart the login flow again to get to the login page and then follow up with the “Forgot Password?” option.
I hope the explanation was clear.
Thanks,
Rueben