I like this question. I never realized before, but in order for the auth string to work, the IAP has to 'see' the auth string in the traffic coming back from the web server. If that is HTTPS, the string is hidden in the encryption and it is impossible to read it.
So, you are correct: auth string only works on HTTP pages.
Edit: if you configure Authentication Text in the WebUI, the SSL knob disappears which once more confirms this.
You can configure RADIUS authentication to the internal user database for a similar 'click to accept' experience. This does require a public trusted certificate on your IAPs to prevent the warning pages. Given the point that browsers are more and more displaying ununcrypted HTTP pages as insecure, it may be best to move to RADIUS anyway.