I see many people advocating for a publicly trusted cert, but if you want to get some practice using privately signed certs it is also an option. Many companies have private CAs so you might as well get in some practice.
Technically, you don't need a domain or a cloud flare tunnel. You do however need to make sure the certificate you generate and the name you use to connect to you. You will need to add the local authority as a trusted root if you do not obtain publicly trusted certificates.
Reverse proxies like Caddy can also act as their own CA. It also makes it easy to configure the name. As long as you add it as a trust root to your clients, any certificate generated by Caddy will be trusted by the client.
This way, you don't need an external domain name.