Looks like the Spring Security team are going to add a new annotation @AuthorizeRequestMapping in Spring Security 7 to allow adding this security in controllers that will participate in the authorizeHttpRequests() part of the security chain:

https://github.com/spring-projects/spring-security/issues/16250