I've worked out the problem. I was extending "AAD-UserReadUsingObjectId" in my extension policy but had added the following item to the Metadata element:

<Metadata>
    <Item Key="api-version">1.6</Item>
</Metadata>

When I remove this, strongAuthenticationPhoneNumber is read successfully.