The embedding does an HTTP request from the server, not the user, to the supplied URL to grab its metedata and verify the URL even exists. It does not pass any cookies with this request for security purposes. For it to do what you're wanting it would need to pass the login cookie state with the HTTP request, but only to on-site URLs. I'll consider implementing that in a future request, but it is not a priority as there's security issues possible here.
forge.joomlapolis.com/issues/8261