Can we craft a HTTP request to my auth server from vcl_recv?
You can change the host to connect to, the path and query string, and add headers before a restart. So in effect you can create a whole new request. Check here and here for more information on this.
Payload of this will be json format auth request and based on response from auth server proceed to allow or deny access to the web content.
However, as far as I know, you can't add a body, so that won't be possible.
OR can i use any of the vmod's like curl for doing this? Is there support to achieve this.
No, you can't use vmods either. We've encorporated many into our core Varnish, but not
curl. The restart capability is the closest thing.