You can force the user to use Windows Hello for Business or a smartcard to login to a system (Windows interactive sing-in). But you cannot do it based on their location (like you can in conditional access policies). You basically woud have to force it at the user level in AD (assuming you have domain joined systems).
But with CAP, if most of applications are protected by Azure AD, then you could still enforce the MFA based on some other conditions at the application level.
You can use multi factor unlock with Windows Hello for Business and you could have something like:
- If a user is connected on premises I can use just the facial recognition
- But if the same user on the same machine is connected from home, I will also need the PIN (called Multi Factor Unlock)