You can’t currently add an Azure Service Principal (SPN) to an on-premises Windows security group.
A work-around is to create an Azure Active Directory security group and then add both the Windows security group and the SPN.
This helps with scenarios like granting multiple access to the Activity Directory admin of PaaS SQL servers.