I think the easiest solution would be to slightly tweak the uvicorn server in prodigy/app.py and add an SSL certificate (see the "Running with HTTPS" section here), so you can serve the Prodigy app via HTTPS. Then you'd be able to load it within an iframe on an HTTPS site.
It might be as straightforward as adding two arguments for the SSL certificate to uvicorn.run. If that works, we can also easily add this as a feature to Prodigy, e.g. by accepting environment variables.