You haven't given us enough detail of what you are actually trying to do for anyone to give you concrete advice.
But the answer is probably a reverse proxy, checking the auth on the way. It's a standard solution for things like this, just ask your favourite AI for an example of how you'd do it.
That's what your teams are effectively already doing (redirecting through a single stable environment), they've just not realised they've setup one of their servers as an ad-hoc reverse-proxy.
Your teams could do with some senior engineers who know what they're doing.