"Can't" is a strong word. You can get auth with a CRDT with effort, for example you can put a server in the middle of everything and have the server reverse any changes it sees which are unauthorized.
This ends up being a lot of work to maintain and easy to break as the application gets bigger, and it also defeats some of the benefits of the CRDT in the first place (now the server has to mediate everything and you can't have peer-to-peer sync).
Also if there are side-effects of any actions which require auth which aren't undoable, then that gets more complicated.
If you already have a server in the middle, it's a lot simpler to just use a protocol that allows the server to reject messages in the first place.
This ends up being a lot of work to maintain and easy to break as the application gets bigger, and it also defeats some of the benefits of the CRDT in the first place (now the server has to mediate everything and you can't have peer-to-peer sync).
Also if there are side-effects of any actions which require auth which aren't undoable, then that gets more complicated.
If you already have a server in the middle, it's a lot simpler to just use a protocol that allows the server to reject messages in the first place.