Hello @Bill Spicer
Since the issue is the DUO application bypassing the NPS policies functionality there is little that Microsoft community can contribute. My recommendation will be to open a question to DUO community forums since they may be better prepared and experienced to answer this question.
On my end, as far as my knowledge goes, you can deploy Microsoft's Network Policy Server (NPS) as a RADIUS server or a RADIUS server from another vendor between Active Directory and the Duo Authentication Proxy, and add the Duo Proxy server as a client of the NPS server.
Hope this helps with your query,
--If the reply is helpful, please Upvote and Accept as answer--