The issue is that MFA enforcement can differ from attaching policies directly to users and using assume role. I would create one policy that assumes the role and ensures MFA is present and a trust policy that ensures the role enforces MFA during assumption. MFA needs to be enforced on the trust policy and removed from the regular policy.

As discussed and confirmed by @Vincent Verbist.