Thanks for all the info!
It sounds like you don’t have MFA enabled at the tenant level (Dashboard → Security → Multi-factor Auth)? I believe you may need to have this enabled in order to receive an MFA token that can be used at /mfa/challenge . If MFA is enabled and you go to log a user in, you should receive an error like:
{
"error": "mfa_required",
"error_description": "Multifactor authentication required",
"mfa_token": "Fe26...Ha"
}
This token should work to challenge. You could also try adding https://YOUR_DOMAIN/mfa/ as an audience, but I am not positive that will work either.