Use of httpRequestClient to filtering calls to Okta and tie down global session policy

Currently, the global session policy is open to internet. I am looking for a way to tie down the global session policy to ip addresses associated to my backend service, so that I can have users to logon from my native application instead of login into Okta directly. I am using httpRequestClient in Okta client configuration in my native app which would integrate with a downstream backend service which then calls Okta directly.

I am able to achieve the OIDC flow for the user with MFA (I dont get an Okta session but I get Okta access, id and refresh tokens). However, when the user tries to login again, the user is prompted for MFA again. The policy shouldn’t should prompt the user MFA again.

export const oktaClient = () => {
  return new OktaAuth({
    clientId: "myClientID",
    issuer: "myCustomDomainUrl",
    redirectUri: redirectUri,
    pkce: true,
    scopes: ['openid', 'offline_access'],
    logoutUrl: "https://myCustomDomainUrl/oauth2/authzServerId/v1/logout",
    httpRequestClient: myFunction
  });
};
myFunction : calls backend service and it passes all the headers and data from the SPA app to backend service which in turn forwards to Okta.

As per Okta logs, user always has a new device location as positive. Not sure if this is the reason as to why the user is prompted for MFA for each login flow.

When my SPA app integrates with Okta directly (not going through backend service), the user is prompted for MFA for the first login and not for the second login attempt, which is the expected behavior.