Double-check the conditional access policy assignments in Azure:
Make sure it’s set to the right users, groups, and apps.
Make sure none of the conditions are letting the policy get bypassed.
Make sure the grant is definitely requiring the Duo control, not the Duo control and something else and is satisfied by success on just one control.
Make sure the policy is “On” and not set to “Report-only” or “Off”.
Try the “What If” tool in the Azure portal to model an auth that you think should be subject to the CA policy with the Duo control and see what happens i.e. does your Duo CA policy show up in “Policies that will apply”?