> TOTP codes typically last for 30s and mulitple actions can happen within 30s

The server just needs to remember which TOTP codes have been used and to reject after the first use.

The code is no longer sensitive after it has been used, so jam it in a database that can expire tuples after a few minutes or stick it in an login audit table if you have one.