We found this article https://www.gurot.com/blog/eas-access-rules-exchange-online
The text line "Once a user is affected by conditional access in Azure AD in any way, which includes him being listed in an exception in a particular rule setting, then the ABQ rule on the Exchange server is completely ignored" made us react.
It made us check all the terms of access in Azure. It turned out that we had some conditions for MFA. We excluded the Surface Hub account from these, and then we made it work.
Now everything works as it should
We can only hope that this can help someone else as there have been very few articles on Google that have addressed the error.