Well, as soon as I posted this, the idea hit me.
We added the two ISE servers' machine accounts in AD to the machines that this user is permitted to log in to, and it works like a charm now. Apparently when a user logs in, ISE passes through a generic machine name (of itself) to AD, and it wasn't matching the list of allowed machines.