Having spent more time trying this I think I have solved it.
I changed the Auth0 action to:
exports.onExecutePostLogin = async (event, api) => {
if (!event.user.email_verified) {
/**api.access.deny('Please verify your email before logging in.');*/
api.redirect.sendUserTo("https://localhost:7252/VerificationRequired");
}
};
This lets me redirect sign ins from unverified emails to a custom page where I can explain what they need to do etc.
If there is a better way to handle this I’ll be glad to learn it 
otherwise this is what I’m going with.