I should add, as many others have pointed out, that moving to use app passwords is a _much_ easier solution in the short term (how long they will be supported I have no idea) so I suggest you try that first.

This should have been the first thing I tried but, rather unhelpfully, the Google page where you create app passwords says "You'll only need to enter it once so you don't need to remember it" and later "You won't need to remember it, so don't write it down or share it with anyone.". This suggested to me that these passwords are single use (i.e. a OTP) but testing suggests that this is not the case. Also, whilst using app passwords requires that you enable 2FA on the account, they do _not_ require you to enter the 2nd factor when logging in with the app password (obvious in hindsight, but not made clear by the documentation).

I just tested that these work even when "less secure apps" is disabled at the domain admin level (and by extension the individual account). Indeed, after enabling 2FA for the account the option to enable/disable "less secure apps" is removed. So it seems that you can either have no-2FA + (optional) less-secure apps OR 2FA + app passwords.