I’m not a programmer, but my take is that you should always verify JWT (I had to look that acronym up). Argo Tunnel and blocking non-Cloudflare IP addresses are functionally similar, so I assume (yes, that word) that JWT needs to be used in either case.
Let me try to quickly answer before going to bed… won’t be perfectly formatted, using the phone right now and it’s late.
Let’s split the cases here, starting with a simple Argo Tunnel to a server somewhere. No Cloudflare Access.
In this case the server is connecting to Cloudflare, not the other way around and all connections from users to Cloudflare go directly to the server (or the cache, but let’s not get too deep into this). If you have a login or something you simply need to handle that at the server within your application. Follow all standard practices for those (use a third party service e.g. Firebase Auth, you will do yourself a favor).
As far as firewalling on the server you can block all incoming connections (leave only those you need: SSH? RDP? FTP? Obviously secure those, but it’s another matter out of scope here). You could technically limit outgoing connections as well, but it’s not practical nor necessary.
Second case, using Cloudflare Access.
In this case Cloudflare will verify the access for you, verify the JWT and send that back to your application in case you need it. At this point it becomes like the first case, handle the logins at the application of you need them obviously, but you don’t need to handle actual login flows to verify users (you certainly could, never actually done that with the same JWT and I presume it’s somewhat possible) and passwords and so on. You can simply read from the JWT the user details and act on those.
As far as firewalling it’s identical to the first case.