Correct, but in most cases, that wouldn't be your enforcement point so it's
not usually needed.
IAP-VPN usually needs it in order to src-nat the cluster so that you don't
have to define hundreds of addresses in your RADIUS server.
RAPs do not require PEFV. Only the regular AP licenses (AP, PEFNG).