Q.) Your app needs to listen on port 8443, but SELinux and firewall block it. How do you allow it securely?

Answer:

Regarding SELinux, to allow the app listen on port 8443, we need to add that port
to the SELinux policy.  To do so, we use the following command:

#  semange  port  -a  -t  <service-type>  -p  <protocol>   8443

  Note:  The items within angle brackets (i.e. <    >)  are shown generically
because the question does not specify this information.  Some examples of
service types are ssh_port_t, ftp_port_t, nfs_port_t, smbd_port_t, etc.  
My RHEL 9 system shows me 321 possible service types.  Some examples
of protocols are tcp, udp, dccp, sctp, ipv4, or ipv6.

The above command will configure SELinux to allow <service-type> to use port 8443.

Whatever the actual name of the service is, it will require restarting for the semanage command to take effect:   #   systemctl  restart  <name-of-service>

We're not done because we have to configure our firewall to accommodate this port.  
This doesn't require any heavy lifting - here's our command:

#   firewall-cmd  --zone=public   --add-port   8443/<protocol>   --permanent
Note:  <protocol> is the same keyword used for the semanage command

Execute the following command to verify that the port/<protocol> has been added
to the firewall (firewalld), to allow communication with port 8443:

#  firewall-cmd  --list-all

The End

The ssh setup: final sshd_config should result in PermitRootLogin no.
2FA: quick look at man page of sshd shows no direct support of it. I assume one has to rely on external (to ssh) PAM modules.