Are you just wanting to enable MFA when connecting to an AAD-joined Session Host/Pool from a non-joined machine?
If so this is supported via standard Conditional Access policies.
So if my user is on a non-AAD joined machine or a machine joined to another tenant. I should be able to enforce conditional access in this case.
Just add the Azure Virtual Desktop (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07) Cloud App to the Cloud apps or actions, and set the Grant Access to Require MFA.
However, in order to connect to an AAD joined machine from a non-joined machine you will need to add the tennantisaadjoined:i:0 setting to the RDP properties of the host or it will fail to connect.
James