Those typically require custom client side code, for a website you have the requirement that a web browser must be able to connect to it using TLS. Or maybe I'm not getting what your suggestion is - Access is supposed to intercept the connection and display a custom authentication page, with requests not reaching your server at all until they are actually authenticated.
The reverse proxies sometimes support TLS pass through (see Traefik). If the reverse proxy puts an authentication page in front, sure, the TLS pass through may not work. But it could work if all you need from Cloudflare is its firewalls, restricting the IP range, hiding your IP, rate limiting, DDoS mitigation, not having to open port in internal servers, etc.
