Options to deploy internal web app using GCP App Engine
Solution 1:
If you must go through the backend to serve static files, serve them directly from the backend (and remove the value of static files that are served without any check).
IAP is a solution to prevent the access to static files but if it's not enough, you haven't other solution than my previous remarks (at least with serverless product, I'm sure you can do more customizable things with Nginx in a container or a VM)