They should have users receive the code and then submit said code into the application for verification, with clear instructions that this code is produced as a result of a support call, and to confirm you are on an existing call when submitting the code.

Doing so would not force users to divulge codes over the phone, and enable support staff to verify identity all without training users that reading codes over the phone is acceptable.

Thoughts on that?

Still not foolproof. Attacker can MITM the connection by initiating their own call to the real support line and relaying instructions between the user and support.