Working on adding MFA but would like to avoid multiple URLs/Realms but that is the only way I see that is jumping out at me. I know there are ways to add restrictions for other functions like Host Checker Policy based on Role so was hoping the option existed to apply additional authentication per role but nothing that I can see. Running 8.3Rx code currently not certain if that is a 9.0Rx or beyond.
The clarify your question is a bit confusing. However, the answer to your question is not specific to versions. Multi Factor Authentication(MFA) per role will not work. Authentication is typically assigned within Realms.
In a typical use case, if Company X acquires Company Y and they have unlike MFA systems, we typically would suggest having Company X to have a default/prime URL for both companies(Single URL). This will eliminate the issue of having multiple URL/Realms within many companies. Whenever a user tries to connect, the user will have an option in the portal to select the correct Realms that binds an MFA. The web portal will have the following menu:
@ggarcia is correct, Authorization (Role assignment) will be done after Authentication (tied to user realm). Hence, having role based MFA is not feasible.