Can you used the WhatIf tool to see the result of the Conditional Access policies for the given sign-in scenario.
Also the sign-in logs have a tab which should help.
If all else fails there is s template Conditional Access policy which might help.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-compliant-device#template-deployment