I have my domain mydomain.com, rented from OVH. I use HAProxy on PfSense to redirect mydomain.com and *.mydomain.com, and PfSense manages the DNS challenge certificate.
I would like the root mydomain.com to redirect to aa.mydomain.com (TLS certificate will be served by a third-party website e.g. GitHub to host my CV), but keep the wildcard certificate for all other subdomains on my PfSense.
Currently, the certificates for *.mydomain.com and mydomain.com are on my PfSense. All I have managed to do is serve the certificate for www.mydomain.com on the 3rd-party website and add a DNS record for that subdomain.
Even if the data is passing through cloudflare cdn uses the cloudflare certificates my data is encrypted first using my own certificates from the Proxyserver
This is false, connect to your website, check the certificate, it will be Cloudlfare's. I assume either you have not checked, or are a Business customer paying quite some money yearly to Cloudflare.
Cloudflare decrypts inbound traffic, then re-encrypts it before sending it to you, unless you pay a decent amount of money so that they serve your certificate.
Oracle gives free VPS, permanently free. Have a backup of these VPSes though, Oracle sometimes (haven't experienced it myself, but some people here did) kills these VPSes.
No need to expose to the Internet. You can e.g. expose them to Home-Assistant/openHAB only, or VPN to your LAN then connect to them.