Hello,
Even though your end users are working on a workgroup PC, they should login as domain users for authentication.
Because your server doesn't have a credential for a client local user. In this circumstance, you should work with a Per Device CAL in your license server.
A per device CAL means any domain user can login via this workgroup pc.
You can follow this document as a reference: https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-client-access-license
Then the work process will be like what you said, user has 1st auth when login via GW , and 2nd auth when login via servers.
Note: You should figure out how your keys work, what I said is just auth as password
If the Answer is helpful, please click "Accept Answer" and upvote it.