Super quick way would be a conditional rewrite based on the referer header. You could rewrite to a /forbidden dir and status 403 /forbidden, or something along those lines. A determined party could easily bypass this, though.
If you strictly require the user have authorised themselves, you could take a look at JSON Web Tokens, available as a Caddy plugin jwt. You could have your admin portal hand off the JWT as a cookie, or include the token as a query parameter in the link from the admin portal to the protected app.