Why not just use the Cloudflare tunnel to connect directly to the services in question, rather than tunnel > npm > service, out of curiosity?
I’ve got a bunch of my services behind my tunnel, be it http or tcp services, and just point the tunnel to those services directly. Services I don’t want publicly accessible I put behind Cloudflare access which goes to my Keycloak instance for auth and then to the service if successful. Ended up getting rid of traefik as a reverse proxy entirely when I swapped to using Cloudflare tunnels.