Hello, I am hoping some clever people can point me in the right direction here.

We are looking at implementing a new self service portal (external website) which would display to users to a pega constellation portal once they are authenticated. All of this is fine, and we have played with the MediaCo sample and got that working. The trouble is that to authenticate users, the solution directs users to the Pega login screen which is rendered via traditional UI (not via DX API). Our environments have allow list restrictions which we cannot remove due to security restrictions. We can direct DX API traffic through a proxy, but how would it be possible to allow users to authenticate on Pega (PKCE) without allowing the user's browsers access to the Pega application servers directly?

It seems a little short sighted that the authentication endpoint is not in itself a DX API call, meaning we could secure it, route it and implement it despite the IP allow list being in place. Does Pega expect all self service portals to be hosted on open-to-the-world Pega platforms?