The order of operations you provide does a better job at explaining this than your statement, "cgiapp_init() is called once by new, while cgiapp_prerun() is called everytime a request comes in".
Basically, cgiapp_init() is called as the object is first created in order to setup the environment for the application. cgiapp_prerun() is called prior to executing the selected run mode for a given request. I typically use cgiapp_prerun() to check if the run mode is allowed at this point by this user -- i.e. I use cgiapp_prerun() as the place to implement ACLs.