I'd use firezone for that. It has an option that forces the user to login to the platform regularly. Coupling that with an external identity provider via oidc is a very solid and simple solution for session management.
Firezone seems to have come really far from when i last used it wow... But ... I really like running headscale for most of my stuff as i prefer the p2p meshing for direct connections from server to server latency regardless of where they are.
Just a quick note -- 1.0 goes a little further and rotates the WireGuard keys upon each auth session, so the private key never leaves the tunnel process memory. You need the Firezone client for that, though.