That’s exactly it! We already use this on nostr.wine to protect your DM metadata.

When you try to request a DM from nostr.wine, we send an AUTH challenge through the socket. Your client signs and returns the challenge so that we know who is making the request. We user this information to only allow the sender or receiver to request DMs.

There main downside is decreased privacy from the relay operator as it becomes easier to associate REQs with a pubkey (though it can be done without AUTH anyway).