Currently PAM uses STS:GetFederationToken API to provision AWS Console access for the user. However, once the user is logged in to AWS Console, the user cannot assume another AWS Role. This is a limitation of STS:GetFederationToken API.
Based on the documentation provided by AWS, they recommend to use STS:AssumeRole to login the user to the AWS account and from there the user can assume additional roles as required.
Can PAM support this feature?
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison (API Restrictions)