You’re correct; Duo only handles secondary authentication and you still need a separate identity source for primary authentication before continuing on to Duo 2FA (or else we’d be Uno Security).
You do not need to use the Duo customer control for Azure AD conditional access (which is only available in an Azure AD P2 Premium subscription) to add Duo protection to your Cisco AnyConnect VPN logins. In fact, you cannot use the Duo Azure CA control with AnyConnect (because the Azure control is compatible only with applications that show the Duo Prompt in a browser and AnyConnect doesn’t).
You can try this for AnyConnect though:
Enable Secure LDAP in your Azure AD domain: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap.
Point your Cisco ASA to Azure AD over LDAPS for primary authentication.
Proceed with adding secondary authentication via Duo’s LDAP configuration for Cisco: https://duo.com/docs/cisco.
Protecting web-based applications using Azure AD for primary authentication is the most popular use case for the Duo custom control for Azure CA. For example, if you have Office 365 your primary login is the Azure AD account associated with that O365 tenant. If you enabled the Duo custom control in an Azure AD conditional access policy then it would prompt for Duo after primary login with the Azure AD account.