Hi @Ying Wu !
In order to pass the device identity and satisfy device-based Conditional Access policies, it is necessary for the App to send the Primary Refresh Token. If all the other applications are able to send the PRT it likely means that the device is correctly registered but for some reason the application is not able to send the PRT, in which case the issue would not be caused by Conditional Access itself but by the app itself.
That being said, you might be able to resolve this by unlinking the user account from Onedrive and signing in again to trigger a new PRT. (Let me know if this is the case, as this could suggest that the CA policy is not aware of the PRT.)
Without being able to see your sign-in logs it will be harder to isolate the root cause. That being said, if you still face the issue, you can feel free to send me an email at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID so that I can enable a one-time free support case for you.
https://video2.skills-academy.com/en-us/sharepoint/enable-conditional-access