By "staging environment" I'm referring to any non-production environment that you need to access over HTTPS, either ephemeral or long-living and potentially shared.
Are you using basic auth? If so, how are you managing usernames & passwords?
Typically the entire stack is copied so that you have the exact same setup, including auth, as in production. Basic auth isn't a great idea unless your production is using basic auth too. If you're using some federated login tool like Cognito or Auth0 then you can create smth like an isolated pool of users for each environment, forgot the exact name. VPN only needed if it's a compliance requirement, otherwise nothing wrong in having it public.
Totally agree with this sentiment in theory - it's best to keep the environments as similar as possible. But in practice there are requirements that will differ, such as having production be publicly available and staging be protected, mocking of certain third-party services that may not be available in a non-production environment, etc.
We use a cloudflare firewall, and then have a facility for users (i.e. "staff") to add themselves to the whitelist, via a tooling page for each env (which isn't behind the firewall, but does rely on http basic auth).
It's not perfect, but I think it works better than what it replaced (logic in the application and a shared 'secret' to access those environments)