This is something that I have successfully done in the past.  You need to do the following:

1. Set up MFA for the service account that is making REST calls
2. Copy the 16 character MFA secret for the service account.  It is a 16-character string stored in the user_multifactor_auth table, in the field multi_factor_secret.  This is a Password 2-way field, so you will need to use GlideEncrypter to decrypt it and copy the value.
3. Find an MFA library for the scripting language you are using to make the REST calls.  For example, if you are using Python you could use PyOTP, or if you are using Node.js, you could use speakeasy (I have used both of these successfully).
4. In your REST authentication step, instead of sending just the password, you need to send the password + the real-time 6-digit code.  So for example:  If the service account password is "Pass123" and the 6-digit authenticator code right now is 987654, then you would send "Pass123987654" as the password. (See step 3 on this docs page)

That is all that is required.  As you can see, it's actually pretty simple.

My goal is to provide scripts for automating repetitive tasks to our desktop team.
I have used Powershell to make REST calls to SN with a local SN service account (that does not require 2FA).
But when I try to use AD creds (that work for SN browser) which also require Okta 2FA, the call from the same script returns 401 Unauthorized.
For those AD creds I am providing a password value of <DomainPass> + <OktaDigits>
What else is necessary to use creds that require 2FA via REST?