You can leverage Fatly's cryptographic functions, like digest.hmac_sha256(key, message), have shared secret key between your servers and VCL and use any user's info as message - id, email, id+password, etc.
Generate it on server and store result in user's cookies, and compare it in VCL every time you want to verify authentication and redirect him to some error/login page if failed.
If you have different access levels, it might get complicated. Yet, you can still have it in single cached bucket like this:
Have separate cookie that lists API's that user can access.
Have authentication cookie = hmac(secret_key, user_id + api-list)
When accessing some API check that it's in the API list cookie AND that and verify authenticity of API list by comparing HMAC.
The only problem with this approach, is that there's no easy way to remove access from some API.