Network authentication is not the same as application authentication.
If I plug a cable into your LAN, I am not subject to MFA to login to a server on your LAN.
If you have a lock on the network port that requires me to type in a PIN code and stick in a key to unlock, and expose the port, that then results in MFA to connect to your network. Your applications behind your network remain without MFA.
MFA VPN is essentially the same thing as the above, but for remote access to the LAN. Applications should still be properly secured.
I suppose it could be argued that this provides a client-side agent to authenticate the end user as well (mumble mumble 802.1x), and if so, then it's arguable whether or not you need another layer of authentication on the application, or if this qualifies as SSO to authenticate you to everything you have access to in the network (so passwordless login to servers, desktops, webapps, etc)
If I plug a cable into your LAN, I am not subject to MFA to login to a server on your LAN.
If you have a lock on the network port that requires me to type in a PIN code and stick in a key to unlock, and expose the port, that then results in MFA to connect to your network. Your applications behind your network remain without MFA.
MFA VPN is essentially the same thing as the above, but for remote access to the LAN. Applications should still be properly secured.
I suppose it could be argued that this provides a client-side agent to authenticate the end user as well (mumble mumble 802.1x), and if so, then it's arguable whether or not you need another layer of authentication on the application, or if this qualifies as SSO to authenticate you to everything you have access to in the network (so passwordless login to servers, desktops, webapps, etc)