Hi,
I think you'll need to configure your SimpleSAMLphp service provider configuration to require the attribute value using the authorize module: https://simplesamlphp.org/docs/stable/authorize:authorize. I've tried this (although not with AD) and it worked as expected.
An alternative approach may be to customise the saml_hook_authorize_user() function in auth/saml/custom_hook.php returning false if the expected attribute value isn't found.
Good luck,
Leon Stringer