I recreated your config locally, observed the same behavior and after some research found out that this comes up more or less regularly, example.
2026/01/23 18:23:22.533 DEBUG http.stdlib http: TLS handshake error from 192.168.1.254:443: no certificate available for '192.168.1.64'
I found this line peculiar. Why would browsing to my public IPv4 (implying this to be the sent SNI) match my local IPv4 address? Could be because my local IPv4 actually is 192.168.x.x. The definitive, permanent solution would be to simply use some form of DNS name here and have Caddy issue a cert to this name (it would make it possible to use publically trusted certs), but if you truly insist on IP addresses, add your local IPv4 to the site addresses.
107.220.81.150 192.168.1.64 {
…
}
By the way, the @metrics definition is superfluous if you only use a path match. You can use /metrics* as the matcher in response directly.
respond /metrics* 403