I'd let them log in. Save the value of the "emailVerified" column in the session during login. Then you can create an access rule that checks the value of the "emailVerified" session variable of a logged in user.
On the restricted page you can add two restrict access server behaviors. The first one just checks if they are logged in and redirects to the login page with:
and the other that checks the value of the emailVerified and redirects to:
That way you can show different messages based on how they got to the page.