This functionality is not available in Auth0 out of the box. One way which you could implement this is to use the Force Email Verification rule:
The flow would work as follows:
- User changes email address
- You trigger the Post Verification Email job via Management API v2
- If they try logging in without having verified the email, they will be blocked by the Rule. If they have verified the email, they can login.