The External Evaluation rules (https://developers.cloudflare.com/cloudflare-one/policies/access/external-evaluation/) was added last year to expand the capability of Access authentication to authenticate users under arbitrarily complex user-defined conditions.
I would love to use this feature to authenticate machines (in my particular example, a GitHub Actions workflow having a JWT signed by GitHub IdP(https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)).
As I understand External Evaluation access policies, such a setup is currently impossible because External Evaluation requires a user to have been authenticated by an IdP (either an external IdP or the Cloudflare), so that the Cloudflare can pass on the user identity to the designated Worker that handles External Evaluation requests.
One could use a Service Token to achieve such a setup (and this is what I will be doing for now), but this is a little less convenient because the token needs a periodic rotation. I think if cloudflared could authenticate itself to Access, via a Worker by passing some credential to it, we could further secure the perimeter of internal services for external machine accesses.