How to Force MFA_SETUP via Custom challenge for UserPool with OPTIONAL MFA after password verification in Cognito

Question

I have a user pool where in want to use custom challenges along with TOTP MFA for authentication. I check if a user has TOTP setup or not in DefineAuthChallenge just after PASSWORD_VERIFIER challenge is complete. If not setup, I set next challengeName as "MFA_SETUP" with a session instead of issuing tokens. But when i try to hit aws cognito-idp associate-software-token --session <<session from password-verifier challenge>> it gives me the following error:
An error occurred (NotAuthorizedException) when calling the AssociateSoftwareToken operation: Invalid session for the user.
even though that session is a valid one.

When i try the same thing using access_token it does not give me any issues. Also when MFA mode for user pool is ON(mandatory), the session from PASSWORD_VERIFIER challenge can be used to setup MFA via associate-software-token.

Observed differences in MFA ON vs OPTIONAL setup: For ON, following challenge is automatically issued after PASSWORD_VERIFIER ignoring the CUSTOM_AUTH triggers, and following response is obtained:

{
    "ChallengeName": "MFA_SETUP",
    "Session": "<<session>>",
    "ChallengeParameters": {
        "MFAS_CAN_SETUP": "[\"SOFTWARE_TOKEN_MFA\"]"
    }
}

For OPTIONAL, my custom challenge's DefineAuthChallenge trigger is hit is issued after PASSWORD_VERIFIER which sets next challenge as MFA_SETUP, and following response is obtained:

{
    "ChallengeName": "MFA_SETUP",
    "ChallengeParameters": {},
    "Session": "<<session>>",
}

I am not sure if I am doing anything wrong in the custom flow. Is there any way I can force users to setup totp on first login through such custom challenge?