Confirm that the LDAP server profile used for your Group Mapping and your Global Protect authentication profile contain the Netbios domain name (short name) in the domain field. Do not use the DNS name for the domain (domainname.com) In most cases this is the same profile. This can also be left blank in many cases.
The LDAP server profile is under Device > Server Profiles > LDAP In PAN-OS 7.0 and later, the domain section was moved to Device > User Identification > Group Mapping Settings : User Domain In PAN-OS 8.0 the User Domain can also be controlled in the Authentication ProfileUser Domain in the Authentication Profile
Confirm that the group name in the allow list in the Global Protect authentication profile is listed with the long name of the group. This value can be pasted into this value from the output of the "show user group list" CLI command. Authentication Profile Allow List