I dont host AIO right now, but this issue looks like a DNS related issue.
All DNS Records should point to the OPNsense if you want to use it as reverse proxy.
That means cloud.domain.com should always point to either the OPNsense external or internal IP address.
In your example it points to the nextcloud itself, but there is no https on 443 on the nextcloud host itself (via hosts file), so curl fails. If it would point to the OPNsense, it would get the request since it listens on https:// 443 and then reverse proxy that request back to the nextcloud host on 11000.
I don’t know why you want to curl the AIO on 80 and 443 directly.