Hi Roger,
This is an expected behavior as when a storage account is created with default configurations via portal or any other clients, the request payload does not contain anything related to queue or table.
The request payload only contains storage account definition along with flieservices and blobservices.
For deployifnotexists effect to work, these resource types need to present in the request payload during resource creation operation. so that policy can evaluate the policy conditions to match resource properties and act.
You can test the same by creating a new storage account from the portal and in the last step of resource creation wizard, click on "download a template for automation" link. You will get to see only storage account, blobservices and fileservices definitions in the ARM template.
table and queues are not created with storage account by default. But once they are created later, the policy identifies them non-compliant. Policy remediation tasks can be created to remediate them by adding diagnostics settings.