Our use case is this:

• We have users that will be able to log in using their username/password (with MFA optionally turned on).
• Separately, we want to be able to grant programmatic access to these users as well. Programmatic access obviously precludes any ability to do MFA so we were looking for a way around it. We thought the Application Token might be ideal.

Obviously the presence of the Application Token somewhat reduces the security of the MFA itself. The idea is that we would ask users to treat the Token as such.

We're willing to work outside the box here if you have any alternate ideas for accomplishing said functionality.

Is this possible? Can anyone think of any workarounds that would accomplish as much?

I don't believe this is possible within the FusionAuth hosted login pages. A user has 2fa enabled or they don't, and the auth tokens follow the same login flow.

If you wanted to have your application handle passwords (not typically a good idea, but possible), I suppose you could see if a password looked like an auth token (or maybe have a different endpoint) and then turn off, via an API call, the 2fa requirement for a given user. Seems error prone, but possible. Make sure you secure your application well if this is a path you choose.

It seems like you are looking for a way around 2fa, like some of the one time codes that Google provides. If so, here's a discussion on that very topic:
https://fusionauth.io/community/forum/topic/330/is-it-possible-to-disable-two-factor-without-providing-the-two-factor-code

That led to a github issue: https://github.com/FusionAuth/fusionauth-issues/issues/871

Which we're planning to deliver with our MFA overhaul, which is currently planned for the 1.24.0 milestone: https://github.com/FusionAuth/fusionauth-issues/milestone/71 (and will be a feature for our paid editions, in the spirit of transparency).