It's been years since I last did bare CGI, so with that in mind here goes... Invert the logic a little, and use a loop that blocks further progress until the user authenticates. Pseudo-code follows:

while( ! defined $cookies{'authorized'} ) {
    if( param ) {
        if( validates ) {
            # Set authorization cookie
            next;  # Auth check will pass, so this is
                   # equiv to "last"
        }
    }
    # If we get here, the user hasn't successfully validated
    # Generate auth form.
}

# To arrive here we must have authenticated: Redirect.
[download]

If you have creative control on this project, it seems that you're early enough along in the process that you could just ditch CGI.pm and run straight to Mojolicious::Lite, which will run in a CGI environment, but will greatly promote de-spaghettification of your code, and makes auth checks almost free.