Direct MFA integration is meant to be used with Authentication Policy only (Captive Portal). If you are creating Authentication Profile and go under "Factor" you'll see a note stating: "The factors below are used only for Authentication Policy" (and the Factors are referencing MFA profiles).
As you've said, through RADIUS you can integrate with any vendor (from firewall perspective, this is RADIUS only, it doesn't care what's happening in the background, just waiting for Access Accept/Reject message).
A lot of confusion comes from the fact that MFA is used in Authentication Policies, and Authentication Policies if triggered for non-web-based traffic can trigger user notification through GP client (GP used only to relay the message from the firewall that there was an access attempt on port x, when firewall can't redirect the user to captive portal - for example ssh traffic).
Hope this helps!