You'll need to edit the [Guest User Repository] auth source.
Under attributes, click Authorization.
Replace the entire query with:
SELECT
CASE WHEN expire_time is null or expire_time > now() THEN 'false'
ELSE 'true'
END AS is_expired,
CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled,
CASE WHEN expire_time > now() THEN CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS INTEGER)
ELSE 0
END AS user_remaining_expiration
FROM tips_guest_users
WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard'))
In the editor, add a new attribute: user_remaining_expiration // User Remaining Expiration // Integer
Use that new attribute in your policy. Remember, the attribute won't be pulled (and thus wont' be visible in AT) unless you evalute it either in role mapping or enforcement.