I have had this problem too, getting locked out at least once a day, but some times up to 3 times in the same day. I had an online chat with Apple support about it, and I learned a few things during that chat and after trying some things:
- You can enable 2FA, then disable it within 2 weeks to test things
- After enabling 2FA, you get an email from Apple with a "magic link" clicking on it (within 2 weeks) is the way to disable 2FA
- Once I enabled 2FA (mid January 2021), the problem went away completely
- After 13 days, just before my 2 weeks was up, I disabled 2FA (disabling 2FA -requires- you to change your password)
- After disabling 2FA, the problem started up again, up to 3 times a day
So I tried putting my iPhone (X) in airplane mode. I then logged out of iCloud/Apple on my MacBook Pro (2012) and closed the lid to sleep the machine. Finally, I logged out of iCloud/Apple on my iMac (2019) and my Mac Pro (5,1). This left my iPad (4) as the only device logged in. And STILL the problem happened. As an example, the moment I took my phone out of airplane mode, the "account locked" message came up.
Although I acknowledge the nuisance that 2FA was in the early days, during my 13 days with 2FA enabled (1 day short of the 2-week point-of-no-return) I did not encounter -any- nuisance authentication requests. In other words, I was never once challenged to have to enter an authorization code sent to my iPhone in order to "do" anything on any other device. When you enable 2FA, you do have to log into each device now that 2FA is enabled, and when doing so you get some type of notification that the device you're logging into is now a known trusted device. Now that it's a trusted device, you won't get challenged by 2FA for any authorization code for anything you do on THAT device. And so, since all of my devices were trusted, I never once saw a 2FA challenge during the 13-day period. I'm pretty sure that if I got some new device during that time and tried to set up iCloud on it, I'd be challenged by 2FA one time for that new device, but then it would be trusted.
My point is: like many of you here, I've resisted 2FA for a very long time, and even disabled it 13 days after enabling it. But, I have to say that life with 2FA didn't actually have any of the nuisances that were reported by people in the long ago past, and if I cannot get to the bottom of this with 2FA disabled, I will probably end up re-enabling 2FA and letting that become permanent by allowing it to stay enabled past the 14 days. Because it DID solve the "account locked" problem for me.