Hey Ella,
You could
require authentication for all routes on the app, and inspect the user's domain in each request, sending an error, failing silently, or redirecting to the login page if the domain doesn't match. This will be relatively cheap since the user's authentication information is provided in a header with each request.
There's also the possibility of setting your app's authentication to Google Apps domain. This can be found in the “app engine > settings” section of the developers console, although I'm not sure if this will work with domain aliases.
Let me know if you have any further questions and I'll be happy to assist.
Cheers!
Nick
Cloud Platform Community Support