[eli]

No, CSRF isn't relevant. I'm an attacker and I have a server that's pretending to be a Google login form. I also have a client computer with a scripted browser pretending to be someone trying to login to Google. When you come to my page and login, I steal your data and immediately have my client program use it to login. If Google asks my client browser for a 2FA code, behind the scenes I forward that request to you and then when you answer, I forward the answer back to Google. From what Google can see, it just looks like someone logging in from a new computer.

None of this has anything to do with cross-site scripting. It's a MITM attack. CSRF doesn't come into play.