I'm using Firefly III with Authelia in front of it.

https://docs.firefly-iii.org/how-to/firefly-iii/advanced/authentication/#remote-user-authentication

As of now, it seems like Waterfly doesn't support this yet.

I honestly have no idea how to support this. How does the app detect that you're reaching an Authelia proxy and didn't just enter a non-valid FF3 domain? How does Authelia tell me that everything went as expected? I cannot intercept the web traffic of the web browser session I need to open.

I don't know about other authorization proxies, but I'm using Authelia together with Traefik, with which I get (in my web browser) a 302 status response code with a location header to my Authelia instance, when I'm not already logged in. (The login is a custom cookie.)

But I don't think a complex setup with login in a web browser and extracting/saving the cookie is necessary.
Instead setting a custom header would suffice, I think. For example, when I set the (custom) Authelia-Authorization header to my Authelia login credentials, any requests with that header are allowed by the proxy.

I think the correct approach to this is to authenticate in the app using API keys. I also am using remote user authentication for logging into firefly III (using authentik rather than authelia) but I have configured the authentication proxy to allow requests to the API since that is a public route to the website. This allows usage with stuff like command line interfaces and 3rd party integrations.

After thinking about it, I agree with @mehalter and will not implement custom header support or similar. The API is protected enough, and the proxies are supporting to exclude certain paths from requiring auth.