This seems super overcomplicated. What I would do is put all the subdomains on the public DNS, let HTTP(S) through the firewall for the respective hosts, deny everything from outside of your local network on the http server that isn’t under the HTTP challenge path and then run the HTTP challenge as you would for a public site.
Then you can get certs, everyone outside trying to access will get 403, and inside the network you can access as normal.
Of course you’ll have to trust your http server’s ACL for that, but I’m just going to assume servers like nginx (which I use) have a reliable implementation.
I use AdGuard and Vinegar Extract (Vinegar without the adblock part). IIRC those are free and work well for me, so try them first.