Complying with DISA STIGs for RHEL8 with sssd

I am trying to understand how DISA thinks I am supposed to implement MFA for my RHEL8 servers that are all virtual machines. They have lots of checks to make sure my servers are configured to use SmartCards and do authentication using sssd, but to my untrained eye, that only seems like it would work if my servers were physical, had USB SmartCard readers, and were using Gnome Desktop or similar GUI. Typically they would call this out as not applicable if the above were not true, but there is no caveat or exception in their checks that I can see. Not only are my RHEL8 VM's virtual, but they are also GUI-less. Even if I add the hundreds of packages needed to get sssd/gnome running, add a virtual USB port, install the VMware Remote Console app, and passthrough the SmartCard on my local PC, the VMware Virtual Machine STIG forbids using the console for anything other than troubleshooting tasks.

Am I missing some new capability in SSSD/SSH that would allow for using MFA/SmartCard to authenticate a remote session from a Windows or Linux PC? I have had PuttyCAC working in the past, but that is the only app I've ever seen that worked with establishing an SSH session with a SmartCard and it did not use sssd at all. It worked more like an ssh key.

I think I understand what they want, and it seems fine for a GUI'ed workstation, but on a headless virtual server, how is this supposed to be accomplished? What am I missing?