I have found a way to restrict access to {yourappp}.pages.dev subdomain.
By using https://dash.teams.cloudflare.com/ you can add two applications (Access → Applications):
- {yourappp}.pages.dev (production)
- *.{yourappp}.pages.dev (for preview deployments)
By leaving “subdomain” field empty, you can target production app. Then it’s only the matter of defining rules, who can access and how they authenticate.