Authelia can operate at the proxy level as you said, but it can also work at the application level. Authelia implements the OpenIDConnect standard which is designed first as a way for applications to authenticate users using client side redirects.
My recommendation would be to build (or potentially find) a piece of middleware that performs your API/DB query and then redirects to Authelia based on the response. Depending on what proxy/LB you're using it might even support this natively
Authelia can operate at the proxy level as you said, but it can also work at the application level. Authelia implements the OpenIDConnect standard which is designed first as a way for applications to authenticate users using client side redirects.
My recommendation would be to build (or potentially find) a piece of middleware that performs your API/DB query and then redirects to Authelia based on the response. Depending on what proxy/LB you're using it might even support this natively