Wanted to circle back in here and offer up the solution that I was able to make work after a few nights fighting this thing.
First, I reverted back to open ports on my router and set my CF DNS back to update dynamically and point to my public IP. Tested that and could not get it to work. Once I did quite a bit of digging, I found that for some reason SWAG was being weird about my SSL certs. I think that was the root cause, and for some reason I could not get a cert to regenerate so I "unproxied" CF DNS.
After taking all those steps, I was able to get SWAG to regenerate my cert, and everything worked. Terrific!
After that, I stopped my Dynamic DNS container, started up cloudlfared and confirmed I was into my previously created tunnel.
At that point, I removed the entirety of my CF DNS configuration, closed up my forwarding rules on my router and reset my CF DNS to route my root domain (@) to my Argo Tunnel, using a CNAME, and a second with my desired subdomain. Punched it all through and everything seems to work. I even get a CF page telling me to go pound sand when I try and access using the IP that a ping resolves to in a web browser.
I'm not sure if I had to take all those steps, or if I could have just tried to regen my SSL cert through the tunnel but it seems like SWAG had trouble authenticating my cert while I was proxied through CF for my DNS (no tunnel), and it worked after I turned that proxying off.