I don’t use Windows, so I’m not quite sure of how or where to import store custom certificates and trust them.
However, the browser should be requesting a certificate on page load. (At least, that’s how it worked for me on MacOS for either Chrome or Safari.)
And come to think of it, this is only when loading the HA webUI through the Cloudflare tunnel. It’s actually Cloudflare that wants the certificate, to validate according to the WAF rule.
But I would suggest, it’s all somewhat irrelevant if accessing HA locally. I mean, if you trust yourself, there isn’t much need to get too secure?
For my setup, I do use internal and external FQDNs ( + subdomain for external, domain.tld for internal).
Through DNS rewrites, I manage local device connections to route to the local LAN IP, regardless of the domain in the request.
Doing this bypasses the CF Tunnel, which is ok, because I trust myself.