SSH_MSG_USERAUTH_PASSWD_CHANGEREQ packet to the client if a password change is required. The client may then try a different authentication method or request a new password from the user and retry password authentication. After the password change, server signals whether the password change was successfull. Also, WinSCP should be able to view the kbd-int messages sent by the server during the password change.
On the GUI side, a separate password change dialog would probably be the best option. It could contain two text fields (fields named new password, new password again or similar) and OK button. WinSCP can test whether the fields are equal and then send the new password. After sending, WinSCP should show the kbd-int message from the server which explains why the password could not be changed (too weak password, ...) or a message about success.
More info about the SSH_MSG_USERAUTH_PASSWD_CHANGEREQ can be found from https://datatracker.ietf.org/doc/html/draft-ietf-secsh-userauth-27 (pages 10 - 11).