Thanks for sharing; I confess that I initially assumed only one user was being used for testing this and that the user profile was just updated to toggle MFA on and off, but for the provided tokens the sub claim is different which indicates different users. With different users there’s much more scenarios that could explain the difference in issued token.
Is it possible for you to perform the tests with the same exact user?