Nevermind, I think I worked it all out
1) I hadn't actually configured the Management VLAN as a management VLAN. I believe this would stop routing of that VLAN which currently I don't want to do as I don't have a dedicated device I can stick on the management VLAN. So, there's no actual point in trying to restrict which IPs you can access the management interface on if you aren't going to restrict which source IPs can access. I've found you can use the "IP Authorized-Managers" commands for that.
2) I hadn't configured an "operator" password, just a manager one. As soon as I created the operator one, it restricted the web interface straight away to requiring a logon.
Problem solved.