It is not necessary to consider that there is a "basic form". You have many different forms/windows. The "main" window is the window that was created first, but this is just a formality.
Moreover, it must be created through the Application form constructor. And if you create windows in a simple way,
TFormAuth.Create(...)then it will not be considered the main one.
In total, in order to make the authorization window wisely, you need to go into the program code (not into the module code, but into the program code). Yes, there is such a place. Delphi hides it from newcomers. You can open it through the context menu of the project "View Source" or through the menu "Project" -> "View Source".
There you will see the code for launching the application, including the creation of forms. This code can and should be edited. There you must create an authorization window in order to perform a check and either launch the application or not launch it.
UPD. Example

program Temp;

uses
  Vcl.Forms,
  Vcl.Controls,
  Temp.Main in 'Temp.Main.pas' {FormMain},
  Temp.Auth in 'Temp.Auth.pas' {FormAuth};

{$R *.res}

begin
  Application.Initialize;
  Application.MainFormOnTaskbar := True;

  FormAuth := TFormAuth.Create(nil);
  if FormAuth.ShowModal = mrOk then
  begin
    Application.CreateForm(TFormMain, FormMain);
    Application.Run;
  end;
end.

As you can see, I removed the automatically generated line
Application.CreateForm(TFormAuth, FormAuth);
and created the form myself
FormAuth := TFormAuth.Create(nil);
. Next, I did a simple check, if the window was closed with mrOk (i.e., the OK button was pressed), then we continue, run the program, otherwise the program just ends.

Authorization can look like this - the server issues a token (a certain number, secret, temporary, whose validity period can be extended when it is used), based on some client identification data (computer or application installation ID, network ip address, etc., this question is not easy and the answer to it will determine the severity of the check for the actions of an attacker who tries to steal this token).
Those. the application checks if there is a token in memory,
* if not, it opens the authorization form, and in the place with the data from it (more precisely, processed by some crypto-reliable hashing algorithm) sends the client identifier to the server, the server checks whether it is possible to give access, stops working previously issued tokens to the same client, and issues a new one.
* if there is a token, the application makes a request with this token and its identifiers (also hashed) to the server, and it, in turn, checks if the token has expired and returns either yes or no.
The authorization process can be perceived as the issuance of an activation key (for example, when buying your copy of the program).
You need to understand that this check can be bypassed by removing this request from the code in principle. It is more reliable to transfer part or all of the application’s functionality to the server side, in which case hacking will not work so easily, but the work may not be as comfortable due to lags, and the load on the server will become higher.