A brief but not exhaustive description of these terms.
A (cryptographic) hash function takes an arbitrary length input (message) and outputs a fixed length message digest or digest value. An eXtendable Output Function (XOF) is similar to a hash function but the output can be extended to any desired length. The security requirements of a XOF are the same as a cryptographic hash function in that it should be resistant to preimage and collision attacks. There are no secret inputs.
An example of a hash function is SHA-256 [FIPS180], available with HASH_Bytes. SHAKE128 and SHAKE256 are XOFs with security strengths of 128 bits and 256 bits respectively based on the SHA3 hash algorithm [FIPS202], available with XOF_Bytes.
The Mask Generation Function MGF1 described in [PKCS1] and used in the RSA-OEAP and RSA-PSS schemes can also be used as an XOF. For example, MGF1-SHA-256 is used as a XOF in the SPHINCS+ hash-based quantum-resistant signature scheme [SPHINCS] (see section 7.2.2, Hmsg); it is available with XOF_Bytes.
A Message Authentication Code (MAC) is a cryptographic checksum on data that uses a symmetric key to detect both accidental and intentional modifications of the data.
HMAC (Hash-based Message Authentication Code) is based on a hash function and takes a message and a key and outputs a security code, also called a tag. The security requirement for a MAC is that it must resist attempts by an adversary to forge tags. An example of an HMAC function is HMAC-SHA-256, available with HMAC_Bytes. The output from an HMAC function is a fixed length corresponding to its underlying hash function. The output can be truncated at the cost of lower security.
KMAC (KECCAK Message Authentication Code) is a variable-length keyed hash function described in NIST SP800-185 [SP800-185]. It is based on KECCAK, the core SHA-3 algorithm. There are two variants, KMAC128 and KMAC256, which have expected security strengths of 128 and 256 bits, respectively. If not specified, the convention is that the output lengths for KMAC128 and KMAC256 are 256 bits (32 bytes) and 512 bits (64 bytes), respectively. The KMAC algorithm can theoretically output an infinitely-long stream of bytes, so it can also be used as a Pseudorandom function (PRF). Note that you cannot truncate a KMAC output value when used as a message authentication code. KMAC is available with PRF_Bytes
A PseudoRandom Function (PRF) takes in a secret key and a message, and outputs a bit string. The security requirement for a PRF is that it should behave like a random function when evaluated on arbitrary messages provided the secret key is uniformly distributed. This is a stronger requirement than for a MAC. You can use a PRF to construct a MAC (like KMAC) but the converse is not necessarily true. A secure MAC function is not necessarily a secure PRF.
A Key Derivation Function (KDF) takes in some secret keying material and outputs a uniformly distributed bit string. The keying material does not have to be uniformly distributed and an adversary may have prior knowledge about part of it. Thus a KDF has a stronger security requirement than a PRF. A PRF requires a uniformly-distributed secret key, but a KDF can cope with weaker material. By definition, a KDF is a PRF, but the converse is not true.
An example of a KDF is HKDF, the HMAC-based Key Derivation Function from [RFC5869], available with KDF_Bytes.
Thus we have a hierarchy KDF > PRF > MAC.