Protecting subsites from guests
In addition to existing JWT based authentication, you can enable basic-auth over subsites since it is the quickest way to add authencation and doesn't require any action from end-users perspective apart from knowing the username and password. Also Basic auth is understood by a wide variety of browsers natively.