Finally got an answer! Been after this for for like a year, and I guess I finally typed the right combo of words into Google. Looks like there are two options:
- WebRTC, a custom HACS integration. I won’t pretend to understand the specifics, but it uses a protocol called WebRTC to serve the stream locally, and it uses one called MSE (Media Source Extensions) to stream it externally via JavaScript. I just installed this, and it works perfectly. In fact, the local stream is MUCH better than with a Picture Entity Card (my previous method). Previously, there was a 3-4s lag, but with WebRTC it’s nearly instant. Heck, the external stream is more responsive than the Picture Entity Card was. Cannot recommend this enough.
- RTSPtoWeb, another HACS integration. Honestly not sure the benefit of this, and the developer insisted there was little reason to switch to this from WebRTC. It seems like this one might not support MSE, thereby disallowing external access without a lot of hoops.
It should go without saying that being able to access camera streams remotely is a double-edged sword. While you can access them remotely, other people could potentially do so as well. I would not want to risk this without a long, random password.
Edit: Found another option - motionEye has no problem forwarding streams out of your local network. Particularly if you can have a use for the features of motionEye (primarily motion detection and recording), this seems the best option.