In what order does all the policies get applied during a Auth Code flow?

We have

  •    Sign on policy
    
  •    Is user assigned to app – Authorization
    
  •    Access policies on Authorization Server
    

Are all 3 policies assigned on the /authorize endpoint during the first request?