Not really directly answering your question here so feel free to ignore me. But if I'm understanding right your setup sounds like a more complicated way of doing what I am.
I put tailscale on all my devices. And in every docker compose for the ports I do. TailscaleIP:hostport:containerport
So nothing can be access on local network at all. Only through tailscale. Which I can access from any of my devices locally or remotely without opening a port. All E2E encrypted I'm pretty sure. The only con is having to trust tailscale.
I do keep Plex port open for friends though.
From what I understand running high bandwidth things like video streaming through cloudflare tunnels will get your cloudflare account banned or charged (which is why they require payment info to setup tunnels).
Best to keep things like emby, jellyfin, and Plex to tailscale or just open the port.
Idk how emby works but with Plex I feel pretty safe having port open. Since any logins have to auth though Plex's servers.