I'm definitely not a network pro, but it sounds like you're looking to do something similar to what I have.
I've got nginx proxy manager as my reverse proxy with pi-hole for local DNS. All traffic goes through the pi-hole and anything going to mydomain.com has DNS entries pointing to nginx. I've set nginx up so service.lan.mydomain.com is for anything local and just service.mydomain.com for anything external with wildcard SSL certs for both (*.domain doesn't seem to cover *.lan.domain so add certs for both - probably because it's a sub-subdomain).
The Cloudflare tunnel can then just get directed to service.mydomain.com instead of the IP of the service.