No, the problem more likely is another:
Which ever way you choose to do this (application code, nginx, whatever), has to mess with (read: edit) mailcows files one way or another which might lead to unforseen consequences on updates or with future releases, ranging from your changes beeing overwritten to breaking stuff (more umlikely, but you never know).
If you know what you’re doing and, more importantly, are comfortable with tracking your changes across updates, you can of course do whatever you wish. But developers should stay out of stuff like that, to avoid giving it some kind of official semblance. Otherwise, if stuff breaks, people will open tickets saying “you wrote this and that in the forums, why doesn’t it work”.
So, to me it’s actually totally understandable that the developers won’t make remarks on that kind of (highly
Btw: I just thought of another solution for that, which works without editing anything inside mailcow: One could possibly reverse-proxy the webinterface and either do IP filtering on the requests on the proxy, or adding another layer of auth with htaccess or like.