EntraID SSO Problem in VDI - Using SAML Authentication

OK so I will explain our setup/situation then the problem we are seeing.

Setup:
We have setup Parallels RAS (v20) with access to some Apps via RDS and Desktops via VDI and Remote PCs.
We have 2 policies, 1 for internal machines and 1 for external machines.
The internal machines are all AAD Hybrid joined, login with local AD credentials and the policy is set to connect to Parallels RAS using SSO. This works well and the users can access apps and desktops with 0 authentication prompts.
Our external machines (laptops) are AAD/Entra Joined, so we have configured SAML login using an enrolment server (wasn't easy in itself) and this is where the issue arises.
Problem:
The login to Parallels works, as does the login to the desktop/app session without being prompted for credentials, however once the user is in the session (using desktop as the example here) they are told there is a problem with their Microsoft account and they have to sign in again to restore the SSO functionality to be able to access Office/Outlook/OneDrive etc. We heavily rely on this as we use OneDrive to sync profiles, AAD accounts to sync browser settings and teams/outlook for communications which would usually automatically sign in. The users might not be aware of this requirement and then report issues. Overall this is not the experience we want or how we would like/expect it to work.

Note:
If I change the policy to use WEB + Credentials this isn't an issue as the user connects to Parallels RAS with SAML but then has to manually authenticate again to connect to apps/desktop however this is not an ideal setup and I would rather avoid users having to keep authenticating, being able to use SAML for all logins make it much more secure for us by using policies and conditional access etc.

We are coming from Citrix and we did setup something similar in a new test farm before deciding to move to Parallels however that was resolved by enabled Certificate authentication in Entra, which I have done again with our Enrolment server CA now being trusted by it however when "testing" this by manually trying to login to an MS site in a VDI session, the certificate authentication fails. I can't see the certificate in the Certificates MMC add-in and I suspect that due to the nature of Parallels using their own authentication method the certificate isn't actually issued to/stored by the user once logged in and this could be the issue but I am just wondering if anyone else has come across this problem, and if so how they resolved it or whether Parallels can help me to resolve it.
I have not raised a ticket with Parallels (yet) as I have been trying to diagnose to get as much information as possible first.