Access tokens with AUTH0_DOMAIN/mfa
audience are restricted to 10 minutes expiry due to security reasons. This cannot be bypassed.
I would use that audience only when the MFA scopes are explicitly required, and use a different or no audience otherwise.