First off, I don't think this is correct:
Website A : MCID = 123, VID = null/blank -> AAID should be 123?
The AAID is the the back-end identifier, this used to match the old s_vi cookie, back when there was no cross domain considerations. This is represented in the Raw Data as post_visid_high / post_visid_low, and I have never seen those match an ECID... but I don't use the Raw Data much (that's more our data engineering team).
I am also not sure that vid takes precedence over s_vi any more.. that's such an old concept, where the cookie is unique to the domain, I feel that would have more tendency to break cross domain implementations now.... as for VID versus ECID, I would still think that ECID would be used... again, I could be wrong, I've never passed both a VID and an ECID.. the only place I use VID is on our AMP pages (and I pass the AMP Id generated by Google.... that information gets mapped to a proper post_visid_high / post_visid_low designation in the Adobe backend, it doesn't use it directly as far as I am aware....
Now, to the cross domain issue... I don't actually use the Visitor.appendVisitorIDsTo function, since we have so little "direct between sites" traffic. When I open an incognito window and load "site a" in one tab, and 'site b" in another tab, and 'site c" in yet another tab, and check the ECIDs, they all match for me (granted this is in a single session), and I can see much cross over traffic between sites in our real data, maybe not everything... I assume Safari ITP isn't playing nicely...
Have you considered just trying to check the s_ecid cookie? Before tracking happens, look at the ECID cookie set and look at the value passed in the URL.. if they don't match, update the cookie with the passed value... then let your tracking fire?
