Hi,
I am currently working on something like that, for my home use. Here’s what I have done, maybe some ideas are helpful to you. Though I have it not yet working unfortunately.
Access to my Nextcloud instance is secured via Tailscale @ https://nextcloud.mytailnet.ts.net. Public share links start at the /s/ route. So I’ve heard people advocating Cloudflare Tunnels for this use case.
I set up Cloudflare Tunnel with https://public-nextcloud-share.mydomain.tld to route any traffic going to the /s/ route to my NGINX which then forwards to my instance that is secured by Tailscale.
This appeared to work at first, however, when I open eg https://public-nextcloud-share.mydomain.tld/s/fpwjstoijtoi5jtoj43otj43t43 on a public device, The page is broken and there are lots of Javascript errors in the console, because assets coming from the /dist folder could not be loaded. I set-up Cloudflare to only forward traffic to https://public-nextcloud-share.mydomain.tld/s/ to NGINX and drop (404) all other traffic. So I know its because of the Cloudflare Tunnel config but I don’t know how else to allow only traffic destined for the public share endpoint.