Managed to figure it out and want to share it with others in case they’re having the same issue.
When protecting wp-admin, protect it using wp-admin/.htaccess file, but that only works for the wp-admin directory, and won’t affect the wp-login.php file which is outside that directory.
Add protection to the wp-login.php file using the <files></files> directive in the root .htaccess file.
After doing that and reloading the page, failing to authenticate will no longer show the login page or anything related to wp-login.php.
Hope this helps someone out there. Please let me know if it does.