The user consent application is treated as all other web applications protected by Airlock Gateway (WAF) and IAM.
To protect the consent application restrict the mapping to the role configured in the IAM's remote consent settings (e.g. "psd2_consent").
Follow the instructions in Airlock Gateway for Airlock IAM configuration. When using the IAM mapping template, make sure to enable the allow rule "OAuth 2.0 Authorization Server Functionality".