Conditional Access Policies for Azure File Share

Hello,

We currently have an on-premise domain that is synced to Azure using Azure AD Connect. We also have an Azure File Share that works using AD DS as its identity source, and properly passes permissions and connects users in our domain to the file share. We had previously limited access to this file share by IP - saying you can only access the file share if you are physically at one of the company office locations. Moving forward, we would like to allow our remote users to have access to the file share.

What we want for our security on the file share: Users must either a) be physically on-site / at a trusted location or b) if they are not on-site, their device must be hybrid-joined.

My question is really... can this be done and if so, how? 

From my understanding, this is not possible with our current setup using AD DS as the identity source for the Azure file share... the Azure file share does not even show up as a resource when trying to create a Conditional Access Policy because all authentication happens on the on-prem domain controller and their is no API in Microsoft Entra for accessing the file share.

That being said, we can change from AD DS as the file share identity source to Microsoft Entra Kerberos as the identity source, but then we'd need to make sure that every single device that has access to the file share is hybrid joined (which presents its own problems... our on-prem servers are not hybrid joined, nor can they be), and there is need for additional GPOs to allow Kerberos authentication for Azure on the end devices.

Is Kerberos the right way to go knowing what our end goal is, or is there a better way to get this accomplished?