First of all, let's just say "Authentication Context" has little to do with authentication, not sure why MS picked such a misleading name. It's really a labeling system to give content owner more control over what should be protected, and how.
- Create the context
It's a label can be defined in AAD | security - in here, everything is just a text tag. It has no meaning now until after you use it in a Conditional Access Policy - Link the "auth context" created in step 1 to a "sensitivity label"
"auth context" created above will be shown as an option for you to choose from in your Sensitivity Label'| site setting | "Define external sharing and device access settings" page, there is an option called "Use Azure AD Conditional Access to protect labeled SharePoint sites", under which you will see the label you created in step #1 - Link the context to an access policy
Create a conditional access policy targeting this label (traditionally you can only target applications, user actions, but now you can target a tag/label) - How everything works together
For documents with the abovementioned sensitivity label, its access settings -> context name -> access policy in scope for the context - This way, the level of protection is not limited to be defined only by Azure admin, but by content owner as well.
In other words, Azure AD admin defines a protection option, content owners decide if they want to use that option themselves (by enabling the label) (compare to the old way where Azure admin push down a policy for all things in scope)