AFP doesn't use Active Directory for authentication. This is because by default the uams that are active are the 'passwd' uam modules and not the 'pam' ones, and you need to use the 'pam' uams for afpd to authenticate against AD.
To fix this, I performed the following actions at a root shell:
cd /etc/uams rm uams_clrtxt.so uams_dhx.so uams_dhx2.so ln -s uams_dhx2_pam.so uams_dhx2.so ln -s uams_dhx_pam.so uams_dhx.so ln -s uams_pam.so uams_clrtxt.so
Then restarted afpd. After this, AD authentication works.
The 'pam' modules should be the default; or at least the GUI should change the links from the 'passwd' modules to the 'pam' modules when AD is turned on.