#How do I restrict certain subdomains to be accessible from the localnetwork only?

Local firewall rules?

How would I configure this over cloudflare?

You can't. You need to restrict access on your site, in your local router/firewall appliance.

Are you sure?

I've read multiple places that it's possible but no real explanation on how

https://community.cloudflare.com/t/cloudflared-subdomain-only-on-local-lan/683936

Okay, maybe I understood your question wrong, you want a proxied subdomain on Cloudflare to be only accessible from a certain IP range (home network) correct? And all other IPs should get blocked?

Yea close enough I guess, I'm not sure what you mean by proxied

but whoever visits proxmox.example-homelab.com should be required to be on the network through a vpn or smth

Proxied means that the CNAME record in your Cloudflare DNS is orange and all requests to that subdomain go through the Cloudflare proxy.

Alright

but I want the possibility of making other subdomains public

so let's say, project1.esd-homelab.com

should be public

This sounds like complex setups, I first thought about recommending WAF rules for this, but they might not be powerful enough.
I'd recommend to look into Zero Trust and how to setup an app inside this framework (it support a gazillion way to for authentication/authorization) -> https://developers.cloudflare.com/cloudflare-one/setup/

I'm looking at that right now myself but when I try to setup a tunnel using the "private network", I'm not allowed to set any subdomain

I think you don't need a tunnel to setup an app for a subdomain.

How would I do it?

Not trivial, but also not extremely complex, I got a demo working after an hour or two. Read the docs, experiment, learn the lingo. There is no quick way. This stuff is a bit complex by design.

I dont know, that doesn't help me much tbh. I'm gonna give tunnelling a shot