Secure token usually gets created for the first user which apparently appears to be your local admin account. So, the only one that can grant a secure token is your local admin. So, you have to login as admin to enable secure token for the user and then FV can be enabled. I also use Jamf Connect with Onelogin as our IDP. I have my prestage setup with the local admin created. I have a config profile for Jamf Connect to enable FV for the first user that logs in and just like you I also have a separate config profile to enable FV. This works for me and the actual user does get secure token and FV does get enabled after restart or logout.