Which do I prefer, my Nginx or cloudflare?

Yes, but keep in mind, anyone could try and establish a connection from the country you’ve blocked at Cloudflare with Firewall Rules by going directly to the origin IP address (aside from HTTPS at Cloudflare where they’d get 1020 blocked page, access denied) - if they know it, except you only.

However, using cloudflared tunnel and limiting to allow only Cloudflare IPs to connect to your origin server, you’d be in a better position, if so.

One thing coming to my mind is, Imunify360. If you have it installed at your origin host/server and chose to block some XYZ countries, they can’t even establish a connection to your origin host. That is exactly the way to block countries in your iptables for the example, and not only to your websites via HTTP(S).

Not sure what are you using, but I’ve used geoip database with Nginx with which I limited access to some parts of my origin host for specific countries as the particular apps are being in use (despite those blocked countries could establish the connection as they weren’t blocked in iptables).