In all cases most modern browsers will reject an app's request for location if there are any insecure scripts or iframes loaded on the page. Internet Explorer and some older versions of other browsers will still provide the location to an app even though it is a security vulnerability.
In your case the web app builder will work in every browser except the latest version of Safari (Safari, added more rules that requires all content to be requested over https, including images) because their is a secure connection for all scripts and iframe. However, as I mentioned, there is not a reliable way for apps to determine if their connection is secure and then display the button in only these cases.
The Story Maps team has decided to take a stronger approach to determine when we display the locate button. Because many viewers of story map apps are the general public we try to make our apps as simple to use as possible. We have chosen not to show the locate button to users if they will constantly get a error message that their location cannot be determined. Even if they double check their device location permissions they will still always see this message which leads to confusion. Also, we want to follow security best practices even if an older browser leaves this vulnerability open to attack. Especially because a public user has a higher likelihood that they are accessing the story from a public wifi hotspot where these attack are more likely to occur.
One other note, I looked at your story and it appears a couple of your tabs have private content in them that requires a login. Make sure to test the public version of your app from a browser you don't typically use and when you are logged out of your arcgis online account. Unfortunately, private content that requires a login from ArcGIS Online and many other services will not allow their sign-in page to be embedded and the app will not load. This is security vulnerability because the parent page or other scripts may try to steal the user's credential. It may look like it's working for you because if you are still logged into a service the embedded app can authenticate with a browser cookie instead of redirecting to a login page.