My meaning was not very clear.
I was responding to
The only ‘higher up’ for the middleware is in step 3 (when the middleware calls your src/Application.php method getAuthenticationService().
After that process is done, everything is out of your hands.
But you are right, the middleware code that will ultimately let through your ‘approved’ pages is down in that tan box.