Enabled Enhanced Filtering, but EOP still uses my on-prem IP as the source when checking SPF

With the help of support, we finally figured out what the problem was. 

The enhanced filtering policy can be applied to specific users, or to the entire organization.  The UI recommends starting with a small group of users first.  I had entered the names of a handful of users here as a test group.  The trouble is, when the message passes through our on-prem exchange, it looks at the recipient's account and sends the email on to the cloud addressed their remote routing address instead of their email address.  When EOP looks at the messages, it's checking that remote routing address (e.g. mailto:username@domain.mail.onmicrosoft.com) against the list of users to apply enhanced filtering to, not finding a match, and thus enhanced filtering is not applied.  

The solution is to enter the remote routing address of each user in the exchange filtering policy instead of their name or email address.  Even though the UI does appear to lookup the user name from an email address entered, enhanced filtering doesn't check against all of that user's addresses to determine whether the policy applies. 

It's funny that this oddity only applies when in a testing configuration.  Had I configured the policy to apply to the entire organization, this would have never occurred.  Now that the solution has been applied and enhanced filtering is working as expected, I'll go ahead and enable it for the entire org and this weird behavior won't be relevant anymore.