DUO DAG SAML Anyconnect with ASA DAP Policy

We’ve been having issues with DUO SAML Anyconnect via ASA that is using a DAP Policy to filter Users into proper VPN Policies.
ASA Version 9.9.2(36)
DAG on Windows in DMZ
We’re seeing successful authentication on both sets of credentials (AD and DUO).
I am seeing ‘Login Denied’ after Approving the Duo Push notification.
I’ve worked with DUO Support, but we hit their limint on ASA Configuration knowledge.
In my ASA Log I am seeing the following error, which indicates that somewhere along the way, the username@domain.com is being password to the DAP, when we’re trying to use username without the realm. I’ve tried turning on realm stripping, but that did not change the errors at all.
If anyone has some comments on getting through this, I’d really appreciate it. I’m waiting for Corporate to renew our Support Contract for the ASA5525X, so I’m stuck for now.