How to allow a User and/or application to create certain TCP connections?

I have an application that is started via SMB. If I connect to my companies network via Zero Trust Tunnel, a simple click on the .exe on a shared networkdrive starts the application.

However, the application itself then connects to multiple TCP Ports that it needs to work. Some random ports like 9955, 10055 etc. As soon as the application wants to do this, it crashes, because Cloudflare Zero Trust blocks this (only SMB, RDP and SSH is fully allowed by default in Zero Trust Tunnel).

How can I make certain TCP Ports to be allowed by default, if a User is connected via Cloudflare Zero Trust Tunnel?

As far as I understand, I would need to add a public hostname in my tunnel for this service, however, I would like to not really make this information public via a hostname. Are there any other ways?