Securing Cloudflare Tunnel with a psuedo API Key

I recently set up a Cloudflare Tunnel for remote access and it’s been working so well (thank you everyone for posting guides!)

It has been bugging me though how exposed my instance and network feels given anyone can hit the URL to access the HA login page, and it’s terrifying to see on Cloudflare how many random requests the site gets. The WAF rules have been amazing so I recently experimented by adding a new rule to block any request that doesn’t have a query string of ‘toker={token-i-generated}’ and I’ve been using it as a psuedo API key so that Cloudflare shuts down random requests before it even hits my network.

I’m no security expert so I’d love to know what the community thinks about this approach. Is it clever? pointless? limiting?