Cloudflare, JWT validation and Google Assistant

I currently have HA running with the following setup:

Cloudflare Access -> OpenWRT Firewall -> Nginx HTTP proxy -> Home Assistant instance

This has been working quite nicely, including the recent addition of a module to Nginx to validate the Java Web Tokens (JWT), as Cloudflare recommends. Unfortunately, there remains a small niggle in that the Google Actions requests to the /api/google_assistant and /auth/token endpoints, used for the Google Assistant integration aren’t able to get through Access, so I have to use a bypass rule for those specific paths - with the result that the requests pass through without challenge and thus are not provided with a JWT, which means I have to disable JWT validation for those paths in my Nginx config file as well, which weakens the security of the setup.

A possible alternative to this might be to use the Access Service Tokens that Cloudflare allows you to generate, which provide a client id + client secret pair which any bots you want to allow through Access can be told to provide in order to authenticate themselves to Access (therefore, successfully receiving a JWT). However, this would require changing the client id field in the Google Action requests from https://oauth-redirect.googleusercontent.com/, as specified in the guide. Since the OAuth protocol requires client applications to verify the client id presented by the request, one would presume that changing it would then prevent the integration from working. Indeed, when I tried to do this, the Google Actions stopped working.

I did try looking through the python files for the google assistant integration, but I couldn’t find any references to a “client id” or the URL mentioned above at all, which I found quite surprising, to be honest.