R2 access Access Control List via a worker. Callback? binding?

I’m trying to provide my app’s members access to R2 directly to take full advantage of zero egress fees, but I need a method to check their token and resource against my Access Control List. (not team members list) Is there a way to bind a worker to check for permission for all modes of access (CRUD) of objects?
It appears there are no callbacks or notifications for bucket actions?
Will zero trust work on my worker maintained ACL or just users of Cloudflare?

I’d like to figure this out too. Currently, we pipe all R2 downloads through CF WAF and apply hmac verification, thus expiring urls that were generated longer than a few hours ago, but this uses up our CDN allocation and racks up a lot of transfer costs rather than use up R2’s free egress.