Typically when RADIUS is specified as the primary authentication source it's because it requires specific RADIUS attributes passed to/from the device.
If you take a look at the Watchguard RADIUS configuration instructions it specifies that group attribute be sent as RADIUS attributes (with RADIUS attribute 11 FilterID as the default).
When the Duo Authentication proxy is used with AD as the authentication source, it can't send the group attribute as a RADIUS attribute (as the LDAP AD server doesn't send any RADIUS attributes). That is why the Watchguard instructions call for a RADIUS authentication source.
If you don't have a RADIUS server but you do have AD, you can deploy the NPS role on a domain joined Windows server to provide RADIUS auth to AD, then point Duo to NPS as shown in those instructions.