Hi Paldren!
Your post is a bit older, but since I'm currently struggling to set up NPM and Cloudflare the way I want, I also came across the topic of "Cloudflare Tunnels". Right now, it's the only working configuration that allows me to make individual Docker services publicly accessible via my own domain and SSL without exposing my public IPv4 address. I'm actually working on solving everything through Tailscale, but I'm currently stuck with that.
With the help of Cloudflare Tunnel and additional authentication, everything is working for now, and I think this setup is at least somewhat "secure."
In your first screenshot, I noticed that under "Public Hostname" in the CF Tunnel settings, you entered the HTTPS port of your NPM. However, you should enter the port of the service you want to access via the CF Tunnel - for example, port 8096 for Jellyfin.
Besides that, you don't actually need NPM at all when using CF Tunnel. Please correct me if I'm talking nonsense—I'm still a beginner when it comes to networking.
Best regards,
Tom