Remove or modify the "Log On To" options for the effected account.
This option can stop Target Accounts from being able to login since the login request is not seen as coming from a host on the allowed list. When reviewing the Event Viewer 4625 logs, there is a parameter called "Workstation Name". If continuing to use Log On To, this is the computer name that needs to exist in the Log On To list for the login that failed to become successful next time. This is usually the End User's (PAM User's) workstation, but may be a jump server or similar depending on the exact environment and usage. When connecting through PAM, the name of the computer PAM is running on is seen as the computer where the request originates from, so if adding to this list each PAM User who needs access would likely need their personal workstation(s) added.
Most admins attempting to configure this option with PAM are trying to restrict RDP access unless it is coming through PAM. Since this would require putting every end user's workstation in each Log On To list, this is not very feasible for most people. One option that can achieve this use case would be to use Firewalls to block the traffic coming over port 3389 unless it is coming from a PAM address.