Currently, the Secure Network Authentication requires that multi-factor authentication (MFA) be disabled for the app when using EAP-TTLS.
If you use Microsoft Entra ID premium, you can create a rule to exclude this only for the Universal ZTNA application. For more information, see Disable MFA using Microsoft Entra ID Premium.
If you don‘t use Microsoft Entra ID premium, this must be disabled for all users. For more information, see Disable MFA without Entra ID Premium.