Cludflare Pages - Lock down root domain

Is there a way to lock down a production build Cloudflare Pages setup with a custom domain via Cloudflare Access policies? I know that “preview” pages can be enabled, and that works fine, but I want to do the same for the production build as well so that only certain users can access it managed by an access application policy.

I’ve tried creating access policies for the root domain and wildcard *.domain.tld and it does not enforce the policy for the root domain, only subdomains not hosted on Pages.

Yes, that is possible to do. I started out with Cloudflare Pages and protected preview builds. When I later signed up for Cloudflare for Teams, I was able to get more control over these settings since it was just Cloudflare Access under the hood. I don’t remember what the configuration looked like exactly since I cleaned up and did some reconfiguration, though. But in short you can add a self-hosted application in the Cloudflare for Teams dashboard under Access → Applications with the desired domain.

Yeah, that’s what I did - but no matter what config I put there the root domain is never locking down. I’ll keep playing around to see if I can find the right match.