Insert auth pool request transparently between every call to an application pool.

Interesting. So then correct me if I'm wrong, but the client traffic enters the VIP and iRule and is initially sent to the auth pool. The auth pool proxy server SNATs the request, adds some headers, and sends it back to the front of the VIP, which then sends the traffic to the app server (by virtue of the new source address). In any case, I see no harm nor performance impact doing it this way. I'd also add though that you could do an HTTP::header replace inside the iRule right before sending to the auth pool, which would overwrite any attempt to spoof the HTTP header.

...
if {  [members -list [LB::server pool] ] contains $clientIPPort } {
    log local0. "client: $clientIPPort IN $AuthPool sending to $AuthPool"
    pool $AppPool
} else {
    log local0. "client: $clientIPPort NOT IN $AuthPool sending to $AuthPool"
    HTTP::header replace AUTHSEND "something"
    pool $AuthPool
}
...