Connection refused for docker container access via tailscale

There was another topic similar to this last year: Connecting to a service on a docker container through tailscale

But I can provide a fair amount of additional detail for mine, so I’ve started this new topic. As the title suggests, I’m running a couple of services in docker on an Azure VM connected to my tailscale account. When I try to access the services, I get a connection refused.

Output of docker-compose ps output, showing traefik and unifi containers running:

Here are the network interfaces on the VM (with real IPs anonymized):

ben@infra:~$ ip -4 -o addr show
1: lo    inet scope host lo\       valid_lft forever preferred_lft forever
2: eth0    inet brd scope global eth0\       valid_lft forever preferred_lft forever
3: tailscale0    inet 100.xx.xx.xx/32 scope global tailscale0\       valid_lft forever preferred_lft forever
4: docker0    inet brd scope global docker0\       valid_lft forever preferred_lft forever
5: br-5f3803a919de    inet brd scope global br-5f3803a919de\       valid_lft forever preferred_lft forever

I’m trying to addess the traefik dashboard on port 8081 via the tailscale network from my local workstation (which is also on tailscale), using this address: http://infra:8081, which relies on tailscale’s magic dns. In other words, infra resolves to 100.xx.xx.xx (same as shown above)
when I try to access it from the browser, I get this line in /var/log/syslog:

Apr 25 17:22:39 infra tailscaled[958]: Accept: TCP{100.xx.xx.xx:8081 > 100.yy.yy.yy:31232} 40 ok out

(100.yy.yy.yy being my local workstation)
which indicates to me that the tcp connection to the tailscale0 interface went through. you can see from the docker-compose ps output above that the containers are listening on , but the connection gets refused, which makes me think it might be a docker issue, and now I’m a bit stumped.