cajn if you upload your custom forms as static files via FTP to the
/wp-forms, then you have to understand that these forms are technically are not part of your WordPress website. This is due to that WordPress core is not aware of those custom forms, which means that AAM does not know about them either.
This article can be a good starting point for you https://aamplugin.com/article/how-to-restrict-access-to-any-wordpress-website-url.
Basically, if you need to restrict access to your files that are not uploaded to the WordPress website as media assets (via Media Library), then you either have to customize your website server routing engine to point to some access control handler that users AAM API, or make sure that each custom form is a PHP script that loads WordPress core and also renders your form.
If you can give me an example of your form (copy & paste one form's file content), I might be able to help you more.