Yup, that's set.
I've attached censored snips of nextcloud's config, swag's nextcloud proxy config and my port forwards in pfsense (just as a hail mary)
I've also checked out some of SpaceInvader1's older videos on configuring LetsEncrypt for external access and, aside from some UI changes that have occurred over 4 years, all else seems the same and correct.
Checking again from my laptop on my phone hotspot (i.e. outside my network) I'm now getting a failure to connect, not even the 502 I was getting previously. I've attached a snip from cloudflare in case I've got some bad config there too. each censor is colour coded where I've erased the same data over again.
I'm very much learning as I'm going here, and probably running before I can walk.