SSH engine with OTP doesn't work for sudo in centos 7

I want to use ssh engine with otp option for only sudo without login. A way for config it wich described in official manual works in debian/ubuntu without problem, but in centos 7 I face to difficulties. When I try run command sudo(eg sudo su) system asks me the opt password for user and after enter it arise an error:

[sudo] password for vagrant:
sudo: account validation failure, is your account locked?

so you want to log in as sudo to start as opposed to as a user that has sudo privileges? Just making sure I got it right as I have SSH OTP set up on Oracle Linux but I’m not sure I’m doing the same as you.

It seems what I want to somethings another. I want to login to server by physical token(usb stick) and presumably user doesn’t have password. I want to use otp for run commans with sudo. Therefore I want to modify only pam configs for sudo. Eg cat /etc/pam.d/sudo
#%PAM-1.0
auth requisite pam_exec.so quiet expose_authtok log=/var/log/vault-ssh.log /usr/local/bin/vault-ssh-helper -dev -config=/etc/vault-ssh-helper.d/config.hcl debug
auth optional pam_unix.so not_set_pass use_first_pass nodelay

Ya that is beyond what I have worked on.