Deny all requests by default with cloudflare acccess

We use Cloudflare access combined with argo tunnel to expose sensitive internal applications to developers only. However, every time we expose a new service via tunnel we have to remember to also create an access policy for it otherwise the service we created would be internet-accessible by default. Is it possible to create a policy such that all requests to services exposed by argo are denied and one has to explicitly whitelist services?