Hi @N B Interesting you raise this as I have also been troubleshooting an issue would appear to be the same as what you describe above...
Okay so I have a custom app for which MFA is enforced by conditional access policies which have the cloud apps selection set to "All Cloud Apps" - in the AAD Sign in logs when the user authenticates I do successfully see that the CAP matches with the registered app the user is signing into...
What I would like to do is have a different CAP policy to enforce MFA which is just for this specific cloud app which i've registered however when the user goes to sign in the users AAD sign in logs do not show that the conditional access policy has matched with the client application and instead shows that it's trying to access the Microsoft Graph resource - this displays an ID of: 00000003-0000-0000-c000-000000000000 - upon investigating into this ID - this would appear to be related to the built in "Graph Aggregator Service" - if you search for this Enterprise App you can see all of the service principals which have been added to the app - from the information which i've been reading I believe adding your service principal into the "Graph Aggregator Service" app would then resolve the issue which we're facing.
I'm yet to try this myself as would like to test in a test environment as the App I want to enforce the CAP policy on is currently already in production use. The reason this works with all cloud apps selected is because that includes the Graph Aggregator Service - it did take a while to conclude this but that's where i'm at.