If I used the Cloudflare Dashboard to expose a new Public Hostname using an existing cloudflared tunnel, there is an option Protect with Access under the Access Category. The applications I’ve defined already have a DNS name configured, so why is this option needed in the first place? Even if I deactivated this setting, the Application Security seems to work just fine.
That option enforces strict JWT verification on the hostname at the cloudflared side so that request will only be allowed if they come from Access. This protects you against any misconfigurations if you accidentally remove the access app (in which case the requests will fail instead of succeed) and also protects you against any requests that somehow (there are no known methods, but…) bypasses Cloudflare Access to request the origin directly.