First try to disable bruteforce protection through the config.php:
You would need to adjust the parameter
auth.bruteforce.protection.enabledin your Nextcloudconfig.phpto disable brute force protection, which is heavily discouraged for production servers, particularly if your server is reachable via a public IP address. It allows an attacker to iterate over all users and their passwords as well as two-factor verifications afterwards ultimately leading to admin access.
auth.bruteforce.protection.enabled=false
If login works, it is bruteforce settings. If still not working, it is not bruteforce protection.
This page from the docs is providing a lot of valuable hints and tweaks in regard to bruteforce protection