Is it possible to push the authorization check into the service mesh? For example, I can push authentication into the service mesh by configuring istio to not allow connections without a valid JWT, and redirect users to get a JWT if they don't have one, then validate the ones that do exist prior to sending connections to my service. Can I do the same thing at the service mesh level to either prevent network requests from even hitting my system if they aren't allowed by the rules, or block or filter responses if the resources returned also fail rules with the user principle from istio?

https://istio.io/latest/docs/tasks/security/authorization/authz-custom/ that doesn't get everything you asked, but should allow you to call out to a service which talks with Cerbos