I would certainly agree that you need 2FA on your backup server (and proxy servers & in fact any Windows or Linux server)- we use Duo as suggested in the post. Also on any computer the Veeam backup console is installed on, we have a policy that mandates that it has 2FA (again using Duo). But this isn't something we can totally enforce and an attacker could just install the B&R console on any computer they have obtained access to and then access the Veeam server (firewall rules wiling). If the Veeam console had 2FA it would add another layer of protection - somebody could do a lot of mischief with "just" Console access.As I explained before in a few two-factor authentication (2FA) related Veeam forum threads, adding this feature to the Veeam console itself makes little sense, and is best compared to putting a vault-grade door into a chain link fence - considering that the hacker can always connect directly to the backup server instead. In other words, what you really want to protect with 2FA is your backup server itself.
Looking at our other management consoles; vCenter does MFA with tokens and v7 does ADFS which can be MFA'ed, we use Jamf for our Macs, again this does SAML with MFA - I get these are both web consoles so it's a different scenario, but a brief Google tells me that Commvault has 2FA on it Commcell Console, no longer familiar (thank god) so don't know the rationale behind it.
Finally, I can see that this could be a regulatory step at some point in the future, where we have to 2FA all the things regardless of the effectiveness of it.