I am not all that familiar with Cloudflare’s serverless offerings, but maybe I can give you some insight on the Auth0 side.
In Auth0, you can use the app_metadata property of the user’s profile to store data that is read-only to the user. This includes could include things like a user’s permissions, external id, or something like a subscription tier. You can then use that data in a rule to make decisions in the authentication pipeline. Here is the metadata doc with more examples and explanation:
In addition to using that info in a rule, you can add app_metadata it to the token in a custom claim and make decisions in the client or API.