How to Force MFA for a Browser-Based App with Conditional Access?

I'm trying to tighten up authentication measures using Microsoft Entra ID Conditional Access for a specific web application accessed via a browser. We've set up Single Sign-On (SSO) with Entra ID, and our Conditional Access (CA) policies are as follows:

- **Policy A**: Applies to all users across all cloud apps and mandates MFA, but it excludes the targeted app from this policy.
- **Policy B**: Applies to all users specifically for the targeted browser-based app and enforces MFA with a sign-in frequency set to prompt every time.

I've tested this setup to force an MFA prompt whenever a user logs into this application, even if they're already logged into Microsoft 365 in the same session. However, I noticed that after logging into portal.office.com and completing MFA, when users navigate to the target app in the same browser, they're not prompted for MFA again. The sign-in logs indicate that the MFA requirement was satisfied by a claim in the existing session token.

I believe that while the sign-in frequency setting asks for re-authentication of credentials, it doesn't invalidate the existing MFA claim; it just reuses the existing token.

So now I'm left wondering if there's a way to genuinely force an MFA prompt for this app regardless of prior session tokens. Additionally, would using a native client app instead of a web browser make a difference? How do others ensure per-login MFA for certain SaaS or browser-accessed applications? Am I completely off base? Any insights would be really appreciated!