As per Brash, you'd need to incorporate RADIUS into your VPN authentication if you want to utilise MFA on Meraki Client VPN. This means you'd also have to migrate your Meraki Cloud Authentication users to some other authentication back end.
I don't know of anything that will restrict VPN access by MAC address, but you can restrict access to authorised devices.
I don't think this works "right now", but it shouldn't be far away.
You will have to use Cisco AnyConnnect with SAML authentication against Duo. At the moment, AnyConnect uses its internal web browser to process the authentication, but I believe this is being replaced by an external browser soon.
If you use Cisco AnyConnect, and SAML authentication against Cisco Duo, then you can use Duo Trust.
One of the health requirements you can specify is that a machine must have a registered GUID in Duo (which is like MAC address but more secure). If you do this, then you can say only registered machines can log in via VPN.
If you only use the trusted devices it might even work now with the AnyConnect embedded browser now - I don't know. I haven't used it in such a limited scope. But wider health policies, like requiring machines to have specific patches, be running antivirus, etc, will definitely need the AnyConnect external browser support.
You need to have a Duo Beyond plan to get the above features.