Is there a way to force Authelia to ask for 2FA to access the admin login screen, but allow tracking of websites' visits?

[tvmp]

I have Umami running in Docker. The admin page is behind NginX proxy manager so I can access it remotely. At the moment, if someone types umami.domainname.com, they can get to Umami's login page.
I want to force such visits to go through Authelia's 2FA.
When I activate that in Authelia and NginX proxy manager everything works fine and the visitor is forced to go through Authelia's authentication before accessing Umami's log in page. The problem is that once this starts working, visits cannot get tracked.

I've read that I need to add something that mentions the API, but I have no idea how that would work. This is an extract (sample) from the configuration.yml I have:

access_control:
  default_policy: deny
  rules:
    - domain:
      - 'authelia.mydomain.com' #This should be your authentication URL
        policy: bypass
    - domain: 'mydomain.com'
       policy: one_factor
    - domain: 'nextcloud.mydomain.com'
      policy: two_factor
    - domain: 'umami.mydomain.com'
      policy: two_factor
      resources:
        - '^/api/statistics'

But it's not working (meaning visits don't get tracked).

Can someone help me with the last line of the above please? What does it need to say there?

[illispi]

Did you figure this out?