Actually looks good. Where did you managed HTTPS, in ssl.conf?
In compare to your config I have following lines at the end right before </VirtualHost>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
Header always set Referrer-Policy no-referrer
P.S. Here I found one note: Security: __Host-Prefix cookie setting? - #7 by LukasReschke
Sent only to the host which set the cookie. That is, a cookie
named “__Host-cookie1” set from “https://example.com” MUST NOT
contain a “Domain” attribute (and will therefore be sent only to
“example.com”, and not to “subdomain.example.com”).
Should be relevant for your case as soon as you are using nextcloud.domain.com