So you’re saying you want to use your public domain, but don’t want to make it publicly accessible?
Then you should use the ACME DNS challenge to get a certificate, you should use the GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare plugin. See How to use DNS provider modules in Caddy 2. This would let you get a certificate without your server being open to the outside world, and your LAN clients will trust connections to your server without additional setup on each device (which you’d have to do if you used tls internal to have Caddy issue certs using its internal CA).