Wireguard doesn't support MFA so it isn't complaint to the frameworks we require (I guess Tailscale is). Tho you can make a SSH proxy with MFA if you enforce MFA via PAM (e.g. FIDO2 or TOTP are both possible).
FWIW: WireGuard isn't supposed to support MFA. You're meant to do MFA at a level above WireGuard. WireGuard sessions are keyed directly with Curve25519.
We created a web portal with SAML authentication that provisions and manages wireguard profiles on our edge locations. Employees have to log into the portal to obtain a wireguard configuration, and their configuration(s) are removed when their profile is deprovisioned in the IDP. It’s much easier to support then OpenVPN was - much easier to support and the wireguard client for mobile (at least iOS) just works, whereas the OpenVPN client for iOS was a nightmare to setup.