When setting up MFA a request is made as usual for a token, but it is requested for a specific scope (see link in comments). This token can only be used for calls that are related to setting up mfa. We need to pay attention to the response to the initial token request, and put the token and username into the cache for population into later mfa setup requests.
I have a small concern here, in that i believe some of these mfa setup requests can also be made with a regular token. The overall solution for identity and uae has them using our keystone v2 filter for any calls that take a regular token, but the filter would reject such a call that it got with the mfa scoped token. Will discuss with Jorge and update.