Is the code that you are sending related to MFA? Or some other business logic? If MFA related, there may be more options that we can explore.
My use-case is related to our business logic, our app is only available in certain countries; thus we require users to validate they're in one of those countries via a code sent to their phones. I've read the docs about the Form API but I don't quite see how would it solve this issue (and, as you said, would negate the benefits of advanced forms). The other option would be just to validate the phone outside FusionAuth (like we're doing right now), but I would like to migrate all the registration-related steps into FusionAuth.