enabling pam.d/google authenticator/2-factor authentication in sshd prevents EC2 Instance Connect from accessing instance

Question: is it possible to configure SSHD to enforce 2-factor for all users, but also allow AWS EC2 Instance Connect to continue working?

AWS has this feature "EC2 Instance Connect" that provides a way to ssh in as a user from the AWS Console. It uses AWS APIs to put a temporary public key on the instance and then connects via ssh. (At least, I think that's what it does)

I've followed this guide to add multi-factor to ssh, however, it breaks the ability to connect to this instance from EC2 Instance Connect.

I believe it fails to connect, because of the this line in /etc/ssh/sshd_config: AuthenticationMethods publickey,keyboard-interactive -- because AWS connects only by public key.

However, that article goes on to suggest that the nullok config in /etc/pam.d/sshd should allow users to bypass 2-factor if they don't have it configured (if ~/.google_authenticator doesn't exist in the user's home directory), which my root and ec2-users don't have. However, I'm still not able to connect from the console as root or ec2-user.

So yea - is there a way to have this working for both situations? Thank you!