Thanks for posting your question in the Microsoft Q&A forum.
In this article, you can find helpful information about the tokens and SSO
You can use the What If tool to troubleshoot Conditional Access policies
https://learn.microsoft.com/en-us/entra/identity/conditional-access/what-if-tool
It would be great to take care of token protection