Hi JoeH,
Thanks for the question. It's a bit unclear to me why you want your add-in to remain private. If its for security reasons, I'd propose that the solution proposed is inadequate as anyone who does gain access to a manifest or your website can likely accomplish a great deal in terms of access if the sites are not secured. I'd actually recommend having a friendly landing page for your add-in that then gates a lot of the add-in experience behind Azure AD Single-sign on. The landing page can serve as a marketing page for potential customers and the log-in will navigate existing users through to the experience. When going through AppSource validation, you would need to provide our testers with an account so they could validate the integration.
Thanks!
-Sean Laberee