i am not really familiar with this algorithm but yesterday when i saw your comment mentioning SHA256 as the PRF i did some search on the algorithm and i haven't yet seen anybody use this.
one option is what was posted (f(x) = 2^x%k) each choosing k differently from random k in [1,20] to a k based on curve order, here is one in python: https://github.com/crypto-class/random-modnar/blob/master/set8/58/main.py
others use something similar to what you  said here with SHA256 but they simply use their language's Random() function which uses a bunch of hashes under the hood.
another thing i've seen was finding α based on prime (p-1) factors and define f(x) = x^α %n

in the end it seems like there is no good answer to the pseudorandom map function that they use. each one is trying to come up with the most efficient function while reducing the cycles to make the algorithm run faster.