A policy by device type will override a RADIUS policy.
The policy by device type reads the HTTP GET packet that is sent by a client, to then apply the policy. This cannot happen until RADIUS authentication has completed, so the client would likely receive a RADIUS policy first, and once we read the HTTP GET, we'll then be able to apply the by device type policy.
There is no CoA, as the prioritisation of the policies is handled within the AP.
Hope this helps!
Please keep in mind that what I post here is my personal knowledge and opinion. Don't take anything I say for the Holy Grail, but try and see! Appreciate who helps and be respectful of every opinion and every solution offered. Share the love, especially the Meraki one!