If you want to verify that the user has a verified email while authenticating, you will also get help from the Pre Token Generation Lambda. This trigger is invoked every time a token is rs generated, you could use this to check if email verifcation was successfull and it made its way into the flag that the user has been verified after last login.
In Lambda function:
2, Take this status and compare it to the last status you have stored in your own database.
If it is a newly verified email, perform an update to the user email in your database.