You can check a few other areas, depending on your configuration:
1. Check your LDAP AU object to see what is the "domain name" in the configuration. This is used to verify usernames in the directory.
2. If you are using the newer Multiple Login Options on your gateway, check gateway properties -> VPN Clients -> Authentication and edit the login option being used. In the User Directory section on the left, check what LDAP AU is being used as well as the user lookup value (sAMAccountName, userPrincipleName, etc.).
I have a customer with NPS and Azure AD/MFA plugin. They have to use the UPN to login (test-be@be.xxx.lan in your example) and I also enabled UPN as the lookup method (as I noted in #2 above). However, this depends on the LDAP AU domain name, too. With Azure AD/MFA plugin, *ALL* requests are immediately forwarded to Azure AD from the NPS server (this is an Azure AD plugin requirement, which I learned the hard way). From the implementation I helped configure, this required the UPN name and is dependent on the Azure AD directory.
You can see further RADIUS lookup details with a vpn debug. I would suggest you do this, too.