First confirm in AD that the username presented is indeed the user's UPN.
If you want to support both username formats, replace your Authentication filter query with:
(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))
Ideally, you should choose one username format from a user experience standpoint. Fully qualified username (UPN) is always my recommendation these days.