@RLGFRY - same sort of issue with our config / support ticket. The tech presented some suggestions that didn't make logical sense. We are on PAN-OS 9.x and our exclusions are configured by subnet only, and individually, even though we can use address groups in 9.x. We are also only interested in Teams traffic at the moment. We have verified that some Teams traffic is leaving via the local gateway but also that some Teams traffic is coming back through the VPN. The solution we ended up using was to create a deny policy to the same 3 subnets we used via Split Tunnel as exclusions. Through testing we have been able to verify that we can see this traffic being denied by the new policy and also that Teams is not broken (at least not yet). Here is the MS article, which you've probably already read, it was under the Configuring and Securing Teams Media Traffic section. https://docs.microsoft.com/en-us/office365/enterprise/office-365-vpn-implement-split-tunnel#configur...
I wanted to share with the community, since, simply using the subnets may not be the answer.