Nextcloud access CODE using public DNS and (as long there no additional measures) the request proceeds the whole way to you public-facing webserver/reverseproxy, which in your case seems to be cloudflare and then back to your CODE. If you setup everything right and each server in the chan add proper http headers and each server in the chain trust this headers the (CODE) service at the end could learn the origin of the request from the proxy headers. In your installation it seems to be the case - this is likely the reason why the request is shown as coming from your public IP. The solution would be to add your public IP to the wopi_allowlist or if you want to avoid the loop through the internet and all the intermediate system something like splitbraindns. For Docker setup I described a possible solution in Probably DNS help with NC Docker + Collabora + Wireguard tunnel which makes the server request coming from internal IP docker range 172.16.0.0/16 and allows simple and secure WOPI allow list config.