cnspec not honoring filters in query pack groups

[tas50]

Describe the bug
When running our SOC2 query pack on a host endpoint it incorrectly applies the Azure checks that are also in this query pack.

$ cnspec scan host https://mondoo.com
→ using service account credentials
→ discover related assets for 1 asset(s)
→ synchronize assets

 mondoo.com ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────  n/a score


Asset: mondoo.com
-----------------

Data queries:
error: incorrect provider for asset, not adding
microsoft.enterpriseApplications.where: null
error: incorrect provider for asset, not adding
azure.subscription.network.securityGroups: null
tls.domainName: "mondoo.com"
error: incorrect provider for asset, not adding
azure.subscription.networkService.publicIpAddresses: null
tls.ciphers: [
  0: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
  1: "TLS_AES_128_GCM_SHA256"
  2: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
  3: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
  4: "TLS_CHACHA20_POLY1305_SHA256"
  5: "TLS_AES_256_GCM_SHA384"
]

The query pack itself has filters at the group level that don't seem to be honored:

    groups:
      - title: Asset inventory
        filters: "true"
        queries:
          - uid: mondoo-compliance-inventory-asset-data
      - title: Azure
        filters: asset.platform == 'azure'
        queries:
          - uid: mondoo-compliance-inventory-azure-public-ips
          - uid: mondoo-compliance-inventory-azure-load-balancers
          - uid: mondoo-compliance-inventory-azure-nat-gateways
          - uid: mondoo-compliance-inventory-azure-vpn-gateways-config
          - uid: mondoo-compliance-inventory-azure-defender-cloud-config
          - uid: mondoo-compliance-inventory-azure-security-groups
          - uid: mondoo-compliance-inventory-azure-virtual-networks
          - uid: mondoo-compliance-inventory-azure-vpn-app