Deny login from external network while using HTML5 Push Notification

If I were to configure notify.html5 in Home Assistant, can I deny authentication into Home Assistant while still exposing 8123 to the outside? I do have my own digital certificate installed in my smartphone, which is a CA certificate and a private Home Assistant certificate configured in Home Assistant as well.

I already have VPN. I can log into my home network via VPN and access Home Assistant from there, so I would rather want to keep authentication only inside my network and VPN, while saying “Forbidden” to the outsiders who try to gain access to my HA instance via port 8123 and not be in Shodan. I don’t have a proxy in my network.

My router is pfSense running in KVM virtual machine.

Is the implementation of notify.html5 possible without exposing a login page and not exposing the controls for my home automation system? Am I making this complicated? I’ve tried to do some search in the forum to no avail.

To rephrase, I only want to accept authentication only in my private network while still being notified by Home Assistant while I’m out and about.