As an alternative, you could consider using something like Auth0 Actions. If there is a specific condition which you know these users should be blocked, for example, a certain domain, IP address, or a list of email addresses, then you could have a Post-Login script waiting to block these users and deny them access.
Using a Post-login script, what would happen if the user is already logged in? That is, the …/authorize endpoint redirects back to the application directly instead of the …/login endpoint. Would the script still run?
The Post-Login script will always trigger after a successful login flow. So in the case where a user hits the /authorize endpoint with an active session, then the user will not need to re-authenticate, and the Post-Login script will execute.
I hope this answers your question.
Please let me know if there’s anything else I can do to help.