This is supported by Google Cloud using literally the same wording:
https://cloud.google.com/cdn/docs/using-signed-cookies
As far as I can tell, this feature is also supported by Akamai here:
https://techdocs.akamai.com/property-mgr/docs/cookie-authz
I am pretty sure you can implement this on CDNetworks using eval_func:
https://docs.cdnetworks.com/en/cdn/docs/recipes/secure-deliv...
With AWS Cloudfront, I'd think you--worst case--pull out Lambda@Edge?
Cloudfront “signed cookie” auth should “just work”: https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope...
IIRC its essentially the same as the aws style signed urls and header bearer token auth. I _think_ lambda@edge is only relevant if you want to do the initial sig generation in the cdn instead of your api/app endpoint.
Edit: actually GP mentioned Cloudfront already, so yes works as theyre asking for AFAICT