I was able to get this working by using the Azure MFA Server and the Microsoft Authentication app. I ended up dropping it pretty quickly, though. The UAG didn't pass on the user's IP to the RADIUS server, so I couldn't create IP exclusions for my internal network. Also I learned that the Azure MFA Server is discontinued and there's no cloud MFA equivalent, so that's a non-starter.
This blog should get you started on the RADIUS part: https://www.vgarethlewis.com/2019/05/23/integrating-vmware-horizon-with-azure-multi-factor-authentication-server/
Azure MFA would have been an option, but if it's discontinued then I'll avoid that. Thanks for the URL, I'll have a read through it.