I had some time to test today and experienced the same Yann, but i believe i understand why.
i also took an ipphone and authed it. waited a while, unplugged it and connected my laptop with the MAC of the ipphone and it authed fine. when i looked in the endpoint respository i saw the the conflict. eventhough it was both done based on DHCP fingerprint (i don't use IF-MAP or something else).
but the auth had gone through fine. if i look at the tracker it still showed conflict=false and all old details for the request. when i tried again (disconnect laptop and connect again) it was flagged as conflict and my reject profile triggered.
this makes sense. the fingerprint in the endpoint repository is only updated after the device has passed authentication and does the DHCP request. so the first auth request with the "fake" client will always go through, there isn't much to do about this i believe.
so it does work for me in 6.5.4 only not as well as hoped, but well can't have it all :)
as a solution you could consider short reauth times.
personally i had hoped for an option in the profiling tab for the conflict category perhaps with a second delay or such. i also hope we might be able to trigger on any chance of fingerprint, would still like to know if my computer with windows suddenly becomes a linux system. sure there might be logical reasons, but it is detected i can choose what to do.