That’s not the right way to do it, because then vaultwarden is still directly accessible by anyone who can make requests to that host machine, reaching vaultwarden on port 8080 without TLS.
Instead, you should put both containers in the same Docker network, and then use the container name as the upstream address, i.e. vaultwarden:80 and vaultwarden:3012. And you don’t need to publish the ports of the vaultwarden container to the host (i.e. remove the -p arguments on your vaultwarden container).
That way, it’s only accessible through Caddy, which protects the connections over TLS.
This is much easier to do if you use Docker Compose instead of directly using docker commands, since you can declaratively write how Docker should work, plus you get some nice things built-in like Compose setting up a network for all services in the same project.
Here’s a starting point:
Add in your vaultwarden service to that, and it should work.