I think that it won’t work because the browser isn’t quite playing by the same rules that the web server is.
If you know how to get your phone to override DNS, you could remove the publie DNS record for the site (then no one could access it), and tell only your phone to use your private DNS. I don’t know how to do that. You’d google something like “ios DNS spoof”.
Or, you can let login-required be good enough for your testing.