You must buy and activate 2FA on all the servers of the farm to protect all the servers of the farm.
If 2FA is configured only on the gateway, the connections to the application servers will not be protected by two-factor authentication because the 2FA product license is not activated or valid.
The following configurations are available:
Users are configured for 2FA on the gateway, with the following configuration:
The farm application servers are simply configured as follows.
There is no need to set up 2FA users again.
An admin can activate 2FA only on the gateway (and therefore NOT on the application servers), BUT in this case 2FA will only be required for users who connect via the gateway.
if a user goes to the URL of an application server (or goes there live in RDP) then he can connect without 2FA.
in practice if you want to secure your farm with 2FA you have to buy it and activate it on all servers.