Prevent unauthorized access to sites that have OAuth protected API calls


I am using this FastAPI template to create a production and staging stack with a main traefik proxy in front of both stacks that routes requests to the corresponding site. I need to restrict access to the staging site and thought I could achieve this by enabling traefik's BasicAuth. This works fine until I try to make an API call to the FastAPI backend, which itself requires OAuth. However, I can only set either the Basic or the OAuth token in the Authorization header of my request, so either traefik denies access for not setting the Basic token, or FastAPI denies access for not setting the OAuth token.

Does someone know of a good way to prevent unauthorized users from accessing the staging site without breaking the authentication for the backend REST API? I also tried using ForwardAuth to use the REST API's OAuth endpoint, but I couldn't get it to work properly. My last resort would be restricting access via IP ranges, but that requires me to log into my company's VPN whenever I want to access my staging site and makes it harder to allow access for external partners.