I expect the flow would be something as you describe.
Your fourth point yes it does work 
When you get redirected to your external MFA pages you will receive a code as part of the redirection (providing authentication was successful). You’ll then have to use the code in a POST request to /oauth/token
This will produce an Access Token which you can use on the /mfa/associate endpoint to enrol an MFA factor.
When the user is redirected to your app you send another /authorise with your API as the audience/API scopes, use prompt=none to make a silent auth request and a new Access Token will be returned without the user having to re-authenticate as they already did this for MFA and the server session should still be valid.
I hope this makes sense.
Warm regards.