This is not a question. I found the similar thread Mfa_token is not returning when login via Resource Owner Password post method which was not having the correct answer.
When we try out the resource owner password grant type request for obtaining the MFA API Token, Auth0 returns an access token with 200 OK status code even when MFA is enabled on tenant. The reason for this is, the user account you use in the request is not having a verified email address.
If the email address is verified, then Auth0 returns 403 error along with the MFA API token.
So, for solving this issue, you need to get user’s email address verified.