Keycloak: 2FA protection for a specific resource
It seems that you are looking for a kind of Step-up authentication. This isn't yet implemented in Keycloak, but there's an existing jira ticket for this here.
There was also already a discussion on the mailinglist (and maybe some other threads I didn't find currently).
I also stumbled upon a "Conditional OTP Form Authenticator" from Thomas Darimont, a very active Keycloak community commiter.
HTH in some way.
Keycloak will support OOTB step-up authentication in the next release (keycloak version 17). Nowadays this feature is not officially released, but you can test it building keycloak from source (branch: main).
On the other hand, here is article about Keycloak step-up authentication-for Web Apps and API with some findings, perhaps It would help you.