The documentation page linked to is about “certificate signing”, and not “SSH OTP”.
No, they are trying to establish the required connectivity from the client to the CA, in order to get their signed certificate.
It’s a distraction to bring up that this solution doesn’t require connectivity between Vault and the SSH server, when the issue at hand is getting the client to talk to Vault.