Monitoring tunnels behind a LB + Okta Access Group

Hey all, a couple clarifications needed. We have two Tunnels for DR, so one tunnel/origin per pool (and two pools):

       , Pool A (Tunnel A)--> On-prem k8s Ingress Cluster A
      ' Pool B (Tunnel B)--> On-prem k8s Ingress Cluster B

I was wondering how the LB monitors would be able to monitor our endpoints? I can seemingly only get the built-in http_service to return healthy. The monitor I have in place is for the default Ingress backend page, which we’ve set to return 200 with a more helpful message than “404 Not Found”.

I guess my question is mainly: How can the monitor be configured to monitor an endpoint behind an Access Group (Okta in this case), but I think this question also implies another question: At which point in the path do the monitors occur; is this already past the Access Group?

Many thanks