Cloudflare Tunnel and Istio with mTLS enforced

Hello there,

Cloudflare Tunnel deployed as a pod works great without Istio.

I am now trying to enforce mTLS for traffic inside a service mesh.

Flow:
browser → Cloudflare Tunnel → Cloudflare pod → Istio sidecar → Server pod

I am getting this error:
GET / HTTP/1.1" 503 UC upstream_reset_before_response_started{connection_termination}

I am not sure if I need to configure an egress or ingress gateway to work with the tunnel, to give an entry point for traffic to enter the mesh with mTLS. I am also not sure if these configurations need to be applied to an egress gateway: Tunnel with firewall · Cloudflare Zero Trust docs

Here is the Cloudflare Tunnel pod:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: cloudflared
  name: cloudflared-deployment
  namespace: myapp
spec:
  replicas: 1
  selector:
    matchLabels:
      pod: cloudflared
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "true"
        sidecar.istio.io/proxyCPU: "100m"
        sidecar.istio.io/proxyCPULimit: "100m"
        sidecar.istio.io/proxyMemory: "128Mi"
        sidecar.istio.io/proxyMemoryLimit: "128Mi"
        proxy.istio.io/config: '{ "holdApplicationUntilProxyStarts": true }'
      labels:
        app: cloudflared
        version: v1
        pod: cloudflared
        network: myapp
    spec:
      containers:
        - command:
            - cloudflared
            - tunnel
            # In a k8s environment, the metrics server needs to listen outside the pod it runs on.
            # The address 0.0.0.0:2000 allows any pod in the namespace.
            - --metrics
            - 0.0.0.0:2000
            - run
          image: cloudflare/cloudflared:latest
          name: cloudflared
          env:
            - name: TUNNEL_TOKEN
              valueFrom:
                secretKeyRef:
                  name: myapp-secret
                  key: tunneltoken

          livenessProbe:
            httpGet:
              # Cloudflared has a /ready endpoint which returns 200 if and only if
              # it has an active connection to the edge.
              path: /ready
              port: 2000
            failureThreshold: 1
            initialDelaySeconds: 10
            periodSeconds: 10

Just to add this is the service yaml that Cloudflare Tunnel is configured to send traffic to. http://myserver:9000 - this works perfectly fine without mTLS enforced on Istio.

kind: Service
apiVersion: v1
metadata:
  name: myserver
  namespace: myapp
  labels:
    app: myserver
spec:
  ports:
    - name: http
      protocol: TCP
      #      port = port connected to ingress
      port: 9000
      # targetPort = port on container
      targetPort: 9000
  selector:
    app: myserver