For Chrome to be compatible with Azure AD conditional access security policies that check for Hybrid Domain Join, you must install a Browser extension from (here) *or* deploy a registry key from (here).

This is because Chrome does not pass the Hybrid Domain Join status, as shown below:

Adding the browser extension or registry keys allows a user to use Chrome to access the SSO via conditional access policy.

Otherwise you will get an error “You can’t get there from here”