This does work. I have done and used it.
Personally, I think Azure Conditional Access is a pig when you have more than a handful of policies. It is difficult to see how policies overlap, and I have personally introduced security weaknesses when using Conditional Access by failing to think about how groups of policies interact with each other. It is easy to focus on the one new policy you are trying to create or edit, and forget how it changes the operation of existing policies.
Personally, I use Cisco Duo for most customers now. I consider it more secure because it is less prone to security vulnerabilities caused by inadvertent human error.
"Require multi-factor authentication" requires an MFA prompt if you are outside any configured session limit configured in any other policy that is applied to the user. For example, if you have a session limited configured for 60 minutes, and the user logged into Office 365 10 minutes ago, they will not get an MFA prompt for AnyConnect (or any other SAML application).
I think the session limit has a minimum configured limit of 60 minutes that you can not reduce. I could be wrong on this one.
I think it is impossible to force Azure to do an MFA prompt without any other strings attached using SAML.
I have had customers with Azure Conditional Access say they want an MFA prompt on every VPN login when using SAML - and I keep telling them this is not possible. It's an Azure AD restriction. If they want that they need to use another solution like Cisco Duo.
And the kicker is - Cisco Duo MFA is cheaper than Azure AD Premium 1.
Once you use something like Cisco Duo, you never want to go back to conditional access. It's yucky.