Outgoing IP / routing

I’ve configured EC2 instance without public IP and installed cloudflared there. I can see my tunnel up and healthy in Cloudflare dashboard. In the split tunnel Include IP and domains mode configuration I’ve added couple of domains and IP address range I am using in my AWS VPC.
I can connect to any private IP located in the VPC while my warp-cli is connected as well as when I run mtr/traceroute to these hosts I can see traffic going via the Cloudflare network but it is not being routed via the EC2 instance tunnel end and therefore AWS VPC NAT Gateway which causes a 403 error on services that have NAT Gateway IPs allowlisted. In my tunnel connector details I can see IP origin set to one of the NAT Gateway IPs.
Could someone explain me what is the logic behind this?
My understanding is that having EC2 instance running tunnel all or selected in tunnel split traffic will be routed via this instance not the random Cloudflare IP.