You could configure two profiles in Cisco ISE to look up the user and analyse the device they are on, and return a Filter-Id attribute to the MX to say which group policy to apply (which specifies the access restricton).
Then create a conditional acces spolicy requiring both CBA and MFA.
For the second case, on the second MX, you would also use AnyConnect SAML with Office 365 authentication (still requires "Azure AD Premium P1"). This time you could configure a conditional access policy to require MFA. On the MX you would configure a default group policy for these users that only permitted HTTP and RDP access.
There is a feature in the works that would allow both of these on a single MX but that could easily be a year away from release.
Thinking sideways - another [simpler] way to do this would be using Cisco Duo on the Beyond plan. You would connect the first case (using AnyConnect) to Cisco Duo using SAML. You wouldn't need to use certificates. With Duo you can simply test if a computer is a member of your Active Directory or joined to your Intune (*so* much simpler than using certificates). You can also manually authorise computers and devices allowed to access.
For the second case, you would deply the "Duo Network Gateway". This allows you to deploy a virtual appliance that provides HTTP and RDP (and some other things) access to internal resources via a web front end. Of course it uses Duo MFA. Much safer for the BYOD case. BYOD machines would have zero IP access to internal servers.