At $dayjob I know from experience that our login security posture systems take a dim view of attempted logins from public VPN IP addresses (which it usually refers to as an "Anonymous IP address"), it flags the user account as high risk, and sends the user into a cycle of 2FA challenges until they resume a pattern of more normal network access. $dayjob colleagues have learnt that keeping their Netflix region hopping away from their corporate network access makes life easier.

From the perspective of IB who host forums that have a history of being DDOS'd and forums spammed, due to the limitations of forum software it would seem to me they have no easy option to invoke a 2nd factor authentication from perceived higher risk logins, so they regrettably end up blocking access.