Thanks for sharing your findings here. Could you please "accept your answer as verified"as this would help others in the community who experience a similar problem.
Yes, as you mentioned, when dealing with multi-client apps scenarios, you can always create multiple policy to fulfill your requirements, since these approach are commonly used when requiring and blocking web applications but allowing mobile or desktop apps.
Furthermore, instead of including all cloud app, try using individual Microsoft cloud applications in the app section (such Office 365 which include multiple related child apps or services ) , because when including all cloud app, this policy impacts complete access in browser including the Azure portal.
In case if you had no other option than Including 'All cloud apps' , make sure you have setup emergency access accounts in Azure AD to prevent you from being accidentally locked out of your Azure Active Directory (Azure AD). To learn more, refer How to manage emergency access accounts in Azure AD.
Hope this help.