Now use the Citrix Virtual Apps and Desktop Service to publish YubiKey PIV Manager to your users. And this is how it will look to your users in their Citrix Workspace. You have now just basically created a smart card management system (SCMS) capable of doing remote onboarding using Citrix. 🙂; Have the users launch the YubiKey PIV Manager.
With a higher Azure Active Directory SKU like P1 or P2, you should create a Group for VPN users, add that group and only manage users through that group. Check out Microsoft's guides to create or edit a dynamic group and get status - Azure AD and create a basic group and add members - Azure Active Directory.