You're blowing this entirely out of proportion. The vast vast majority of apps work without issue with sandboxed play services. Yes it's less plug and play than a stock os. No it's not a life-ending inconvenience.
Problem is that if the app that doesn't work is not fungible (see your gym app, your banking app, your community app, etc) then you are out. The best compromise is to have a backup phone for incompatible non-fungible apps
Just looked - Microsoft Authenticator doesn't appear to work. I might be able to get off of it but it will take some prep. My banks are supported so that's good.
Because many admins are horrible and disable TOTP for "security".
My uni does it and I've had use the only alternative option, cell call, and rigged Tasker to automatically answered and play the needed tone so I don't need to carry it with me.
Microsoft authenticator should work on GOS, I can only find single person saying it doesn't but there's plenty of reasons it might not work for them (vpn, too strict exploit protection settings). And there's multiple people mentioning it working fine.