Grabbing the source for the control panel I found panels/user-accounts/cc-fingerprint-manager.c I found the following short-circuit:
if (act_user_get_uid (priv->user) != getuid () ||
!act_user_is_local_account (priv->user))
{
set_state (self, CC_FINGERPRINT_STATE_NONE);
return;
}
So the section doesn't appear because the user account is not of the "local type". Its not a policy setting from Active Directory, its a policy setting built into the fingerprint UI itself. I've not been able to find any reason in particular for this limitation, perhaps it just an incomplete implementation.
However I did manage to get fingerprint login and lockscreen working. The limitation is only in that one place in the control panel. So just use the command-line to enroll some fingers:
$ fprintd-enroll -f right-index-finger
$ fprintd-enroll -f left-index-finger
$ fprintd-enroll -f right-middle-finger
Logging in/out may be required (haven't validated this), but now on the login and lock screens, after choosing a user (or hitting a key to bring up the password entry) it shows (or swipe finger) just pop your finger on the reader and in you go (can take around a second's delay).
Its possible future changes to Ubuntu and/or Gnome might make an official policy selection that could require Active Directory (or other remote account type policy) to enable fingerprints, but for now it works.
