Sounds like possibly some naming confusion here. I just want to clarify:
ZTNA is an access method whereby internal apps are accessed via HTTPS tunnel (without requiring SSL VPN connectivity). Are you using ZTNA?
FortiClient VPN is the free VPN Client from Fortinet
FortiClient is the licensed VPN client from Fortinet and requires a connection to a FortiClient EMS server.
You can run FortiClient and EMS without using ZTNA. ZTNA is one feature out of many included with FortiClient EMS.
So, with that out of the way can we simplify your problem as being "SSL VPN with 2FA works on FortiClient VPN but does not work with full featured FortiClient"?
If so, can you tell me what versions of each FortiClient VPN and FortiClient app you are using? Are the PCs both running same OS and same version?
On the FortiClient app you can collect logs using the diagnostic tool" https://docs.fortinet.com/document/forticlient/7.0.7/administration-guide/748524/diagnostic-tool
Do you see any interesting messages there?