When looking at SSL session log you see the same domain comes up as cut-through and inspection:resign verdict. In this context the domain is configured to be decrypted and flows from the domain are not expected to cut-through

There are different reasons for when SSLV cut-through a certain flow. However a common one which is expected is when SSLV is not getting the full TLS handshake. It is cutting through the flow because it does not have enough information to decide on decrypting the flow.

Running a packet capture on SSLV and collecting SSL session log at the same time would confirm this.