Access policies do not apply to websites with “www.” For example, in W Access > Applications, I added example.com/mypanel/ and it asks for login through Access, but visiting www.example.com/mypanel/ does not prompt for login.
Either add www.example.com as another domain for that application, add it as another access application, or redirect example.com to www.example.com using Cloudflare as here…
Your redirect from www to the apex domain is not being done on Cloudflare. Better to implement it on Cloudflare so it doesn’t involve your origin at all. If you are redirecting, then there’s no problem as requests for example.com will be redirected to www.example.com which is protected.
If you’re asking that example.com automatically protects www.example.com, not everyone would want that. If you want it protected, then add it as a protected domain.
If you don’t want www at all, remove it from the DNS.