Here are answers to your questions:
1.) Yes, FortiTokens is still the valid way to handle Two-Factor Authentication with FortiGate products for SSL VPN.
2.) If access to the VPN is granted through an Active Directory group, the VPN does not ask for the FortiToken.
- Make sure that the user group you are mapping to the portal does not include mixed users(Some with 2 FA enabled and some without 2FA).
- Only users with 2FA enabled should be in that group. Please check that and let me know if that still does not work.