How to set a bypass rule for cloudflare own servers?

I am using cloudfare tunnel to publicly expose two services main.domain.tld and sub.domain.tld.
Main has it’s own authentication with 2fa, so I did not put any access rules on it. Sub does not have built in auth, so I am using applications to limit access.
Sub is included in an iframe in Main. To see it I need to login going to Sub first.
How do I write a bypass rule for sub that it the call is coming from specific domain main it would not require an auth?

I don’t see this as a possible option.