Direct Access and RSA Authentication

We're having ongoing issues trying to setup DirectAccess with RSA SecureID OTP. On it's own DirectAccess is working great, however after I configure the OTP authentication I can't get my client to connect. I get the prompt for the OTP as expected but when I put in my access code I just get the 0x80040001 error. I also see an error in the event log on the client which (very helpfully) says "OTP authentication on Remote Access server xxx for user domain\username did not succeed."

I've configured my Direct Access server as a RADIUS client, and setup all the shared secrets as well as configuring the certificate templates and policies on my CA so I'm really at a loss as where to go from here.

Weirdly I never see any errors on my DA server or CA server. However every 15 minutes I am seeing a message on the RSA server - "Unable to resolve user by login ID and/or alias, or authenticator not assigned to user". I've created the DAProbeUser as per the documentation so I'm not sure what's going on there.

I've seen a few posts about needing to apply hotfixes for Windows 7 and Windows 8 but all my clients are Windows 10 so presumably everything should be ok.

Any help would really be appreciated.