Single self hosted app, but talks to multiple hosts behind it. Can't get working

Here’s the scenario:

1 public hostname added to a new tunnel, * path, Service URL is internal server to access
1 application, self-hosted, same as Service URL, auth policy limits to Azure AD group, set to instant auth

When I access the public hostname, it auth’s me via Azure fine, and brings up the server webpage fine, however, the server requires access to an API and database server behind it, and (I guess) has those two servers respond directly to the client, which is what’s breaking.

If I add a second public hostname mapping to the API server for example, authentication on my internal server (the first hostname) works (vs throwing an API not available error) but I don’t want the api/db server accessible publically. When I check the Protect with Access on the API hostname under tunnel, it breaks again. So my application tries to use two other URLs directly on the client device.

The documentation doesn’t make it clear (to my idiot brain) how this all works.

I tried to add a private network to the tunnel, that did nothing.

I want to require Azure auth to get to any of this, but have the primary hostname able to communicate/return stuff from the other back end servers, which I think means I DO need to add both of them to…the tunnel? Applications?

Please help if this makes any sense! Thank you!