Please consult Collabora integration guide for mechanics and references of WOPI protocol.
I would say nothing bad happens as WOPI server requires a “token” to access files stored in Nextcloud.
Creating WOPI access list means limiting WOPI access to specific machines - in case of reverse proxy it would be this IP… but Cloudflare in front of the installation makes WOPI allow-list useless - Cloudeflare IPs are almost half of the internet…
you could setup local splitbraindns and make your WOPI server and Nextcloud talk internally - depending on the setup it might be hard (requires internal reverse proxy with TLS termination - but you have it in place 
) Look at this post the solution is similar - you just need to send both URLs to your local NPM…