@Alexander You can test the following policy to verify if it meets your requirement.
It would be easier if you have 2 different policy for this.
1) Require Trusted Locations - Condition
Followed by MFA under grant
2) Require Trusted Devices (If you mean compliant and Hybrid AD Joined)
Under Grant
Please do test them and let us know if it helped.