If a resource, let’s say an image, is not served by my server without a successful HTTP auth, why is CF serving it publicly?
Cloudflare should not cache them, or cache them but make sure to serve them only if the client is sending valid credentials (which may be not so feasible)