Hi there, sorry to bump an old thread.
I am encountering a similar issue where disabling the RD RAPs isn't ideal for our organization. We need to implement 2FA for External Users only but we also use Terminal Servers in our Interior Network. Most External Users connect to a Terminal Server, however I believe if we install Duo RDP on the Terminal Server, it will require 2FA for both Internal Network RDP and External RDP.
I've also tried Duo RD Gateway, but disabling the RD RAP allows anyone who passes the 2FA to connect to any server with Remote Access enabled, which isn't ideal.
Is there any way around this yet?