I was able to solve this myself by doing as mentioned.
A CF Worker script to process requests (ignoring preflight) for a token, then processing that token as to whether or not user has access to the site. And then a browser-level worker to attach a header for requests which are cross-origin, such that the server worker can determine auth status.
The reasoning behind that is that CORS requests by default are not withCredentials (‘include’ becomes ‘omit’). So cookies are not transferred, and cannot be transferred period.
This does require one to utilize: https://developers.google.com/web/updates/2018/09/asynchronous-access-to-http-cookies for the service worker to handle it. You might be able to get around that with a header provisioned by your service or some sort of fancy cache system
I believe this could be much easier solved by CF staff for the provided [Access] service.
CORS preflight is step 1.
Cross origin (and even cross-“application” cf tokens for that matter) would be step 2.
CF server workers come with Mozilla crypto.subtle (hint: make your own token w/ pub/priv keys).
So I’ll leave the rest to he who reads.
As boiler code to produce the desired result.
Does such a use case bypass cloudflare access? Sorta. But not really (still is based upon requirement to login to Access). The only item getting through is preflight, which doesn’t contain anything in either direction anyway; other than a proof that the service exists.
But without CF staff providing the CORS feature as mentioned, there is no other way.