Thanks so much to u/DSM-20 on the self-hosted Reddit for taking the time to connect and walk me through the Cloudflare setup (and then some!). The solution is:
In NPM, set up a wildcard Let’s Encrypt certificate (e.g. *.domain.com), using a DNS challenge with Cloudflare as the DNS provider and an API token that is created in your Cloudflare profile that provides Zone:DNS:Edit permissions.
In Cloudflare’s Zero Trust Dashboard, when setting up a public hostname (e.g. sub.domain.com) to point to the LAN IP of your reverse proxy (e.g. 192.192.192.2), the “Additional Application Setting -> TLS -> Origin Server Name” needs to be set the same as the public hostname you are setting up (e.g. sub.domain.com)
And that was it! After saving that application setting, the set up I had worked instantly.
There are some additional settings that can be included in the NPM Proxy Host config that expose the IP of the connected user instead of Cloudflare’s proxy IP.