By default all Firebase Function HTTP Requests are publicly available. If you check Google Cloud Functions Console they will show as "Allow unauthenticated" because they deploy with the roles/run.invoker role.
I would like to deploy a HTTP onRequest Firebase Function (Gen 2) without this. I do not want it publicly available by default because I am using it as a pingback endpoint behind a Google API Gateway.
Note: I want to configure the firebase function itself, in the function code. I already asked another question here about how to remove public access using the CLI after deployment. This question is different because now I am asking how to stop it from happening in the first place, during deployment using the function code itself.
UPDATE: Since this is not possible I have created a feature request for this to be supported. Upvote here if you would also like to see this added: https://firebase.uservoice.com/forums/948424-general/suggestions/48159746-deploy-http-firebase-functions-without-allow-unau
The answer you accepted for the other question plainly says "The Firebase CLI can't do it." If you want to use the Firebase CLI to author and deploy a function, the answer is still exactly that.
The thing you're trying to do is not a use case covered by the Firebase CLI. If you absolutely require that the deployment not be public by default (or you want to specify access on the command line), you can't use Firebase tools at all. You will need to use plain GCP Cloud Functions deployed with gcloud (using the --no-allow-unauthenticated flag). This means you will not be able to define your functions using the API defined by the firebase-functions module.
You are free to file a feature request with Firebase support to add support for your use case, but I would not expect that to be implemented any time soon, as most Firebase app developers build functions to be invoked by their frontends (which of course requires public access).