The handler that uses that API would need to handle it, which is typically too late by then as the HttpHandler that handles the request has already been decided, e.g. if StaticFileHandler was handling it.
You could choose to return null in your VFS provider so it returns a 404, which is common approach to handle non-authenticated requests to prevent information leakage, e.g. GitHub will return a 404 when trying to access a private repo you don’t have access to.
Alternatively you could use a pre-request filter to short-circuit requests for the protected alias if they’re not authenticated, e.g:
this.PreRequestFilters.Add((req,res) =>
{
if (req.PathInfo.StartsWith(alias) && !req.IsAuthenticated())
{
res.StatusCode = (int)HttpStatusCode.Unauthorized;
res.StatusDescription = ErrorMessages.NotAuthenticated.Localize(req);
res.EndRequest();
}
});