security – Limitations of two-factor authentication

I have to manage a web application development project in the finance sector. Being on the internet, the application is vulnerable. One of the team members has pointed out a vulnerability in the local storage, because we store the jwt token in the local storage. According to this team member, an XSS attack on our app can recover the token.
I proposed to the team to use a two-factor authentication (with Google authenticator for example) for critical tasks. According to you, is the application protected against XSS attacks with a two-factor authentication? What are the limits of the two-factor authentication?