Sorry for the delayed response here, but wanted to loop back on this one.
You have 2 options:
Configure silent auth to request an access token with the MFA API audience and enroll scope. Once they’ve completed MFA related actions you will want to perform silent auth once again in order continue normal operations with the originally requested API audience.
In my opinion the easier option - Use the Management API to proxy requests through a backend. Similar (albeit different use case) to what is outlined here: