Cloudflare Tunnel Service Auth doesn't work with Host header

I set up a Cloudflare Tunnel with an application with Service Auth. I’m trying to call this using a forward proxy on an NGINX server, but it returns a 403 Forbidden even with the right CF-Access-Client-Id and CF-Access-Client-Secret headers.

I noticed that when I CURL against the public endpoint, if I pass in only these two headers it works perfectly fine, but when I add a Host header, no matter what it is Cloudflare sends back a 403 even though I also have the CF headers.