We can restrict the use of software TOTP, which is what companies are doing when they move users onto the MS Authenticator app.
Admins can’t control the other TOTP apps like Google Authenticator or Authy unless they go full MDM. And I don’t think someone worried about installing the MS Authenticator app is going to be happy about enrolling their phone in Intune.
Edit: And even then, there is no way to control or force users to use a managed device for software TOTP.