yesss thanks to this article from @aaronpk I managed to set up a little server that lets me put any service I want behind Mastodon's OAuth so that only people with a friend.camp login can see it. It works for web apps that don't know what OAuth is -- you are just kind of "gating" them so that any request to any URL for the app must be authorized first. A little like .htpasswd but for OAuth.
https://developer.okta.com/blog/2018/08/28/nginx-auth-request
I'll write this up in detail later but Aaron's post has everything you need.