I don't believe that's possible. While the admin page you reference does mention, as you say, the option to pick 2 of the 3 (I.e. Email address, authenticator app, phone number) I've never actually received the option as an admin user to use an authenticator app for SSPR. It's always been mobile phone number and email.
I did a quick test there on my test tenant and that looks to still be the case. The SSPR policy for administrators can't be modified (the one for users can), so I'm afraid if appears you're stuck with the email address requirement.