Limit access to Office 365 from internet

Just to make sure you understand the process correctly, both Azure AD CA and AD FS claims rules only restrict the authentication. If the user authenticates in your "internal" network and gets his laptop home, he will still be able to happily access messages until the token expires, which can be a very long time in general.

If you only want to block access to email, Client Access Rules in Exchange Online might be a better match. They are enforced at the Exchange server layer, and evaluated every time the client "talks" to the server. However, in general they aren't as robust as CA policies are. Here's the documentation: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/client-access-rules/client-access-rules