OWA with VPN access would probably make the most sense financially if you already have a VPN solution. Do that and block 443 externally and you should be pretty secure.
Any other solution would require Azure / 365 licensing, yes.
Or 3rd party licensing for any integrated MFA solution with ADFS.