Some clarification on Zero trust functionality and price


I am reading about this Zero Trust functionality and I think this is what my customer needs:

they have their own WEB app on Digital Ocean hosting, where firewall is allowing only traffic from the customer’s Company IP. So for home workers we utilize VPN users to connect to their premises, and from there on they can run Digital Ocean WEB app without restriction.
This WEB app is for PC and Mibile devices.

Would Zero Trust come handy in this case? And MS Authenticator as MFA?
I guess it would work with pre-authentication with MS Authenticator, then Zero Trust would tunnel the app to the user. Without need for some additional installations. And without the need for VPN.
Can somebody confirm this, please?

Regarding price…I have this customer on FREE plan for now. Which plan would I need to provide to them to use Zero Trust within described principle?

thank you very much!