This doesn’t say much about what was actually attempted, so to pick on one specific thing to confirm:
Is https://myaccount.google.com/lesssecureapps set to this?
Changing to that will probably produce some alert to your gmail, smartphone, etc. to warn you about it.
I’m not clear on your thunderbird result. Did you say it worked with same settings? OAuth2 is different.
How to add Gmail SMTP in Thunderbird describes some steps that you may or may not have followed, however if you followed them, then I think you got OAuth2 authentication which Duplicati email can’t do.