Protecting Wordpress Login with Cloudflare Access

I’m trying to protect my wordpress login with Cloudflare Access.

The configuration is:
Running a tunnel pointing to origin IP address. (coz domain.com is already onboarded on Cloudflare so pointing to domain gives “prohibited IP” error).
Application: wpadmin.domain.com/wp-login.php

Zone lockdown: domain.com/wp-login.php

DNA CNAME pointing to tunnel id.

Everything is working fine until this point.

Problem:
After logged in, it routed back to domain.com instead of staying on wpadmin.domain.com.