Reverse Proxing Through VPS, VPN Only

I have a VPS Setup to connect to my homelab using wireguard. I also have a domain name and everything works, but I’d rather not have my apps accessible to the public. Here’s what I currently have

example.com → cloudflare → vps → nginx proxy manager → wireguard → nginx proxy manger → some app

Is there a way I can make it so you can’t connect if you aren’t connected to the wireguard tunnel? I have wireguard running on pfSense and my phone, but I can’t resolve hostnames I setup.