Securing a public domain that points to a cloud provider

Tailscale version 1.36.2
Your operating system & version: Working with Debian 11 in general.

I’m wondering what a set up might look like that secures a public domain. I have control of a lot of pieces here but I’m having trouble figuring out which pieces to put together to make this work.

I would like to have a staging environment that uses the host names of the production environment through the “stage” subdomain. So, let’s say Currently DNS points to a cloud provider IP (Fly io) who also handles Let’s Encrypt certificates.

Currently, when I visit through a browser, Fly receives and passes along my real client IP and that’s all the useful information about the client that gets passed to the server. But since Tailscale doesn’t really care about client IP, I’m not sure how to connect these dots.

From this set up, how would I go about using Tailscale to make sure that only devices on the tailnet are allowed to access

I do have a proxy server on Fly that successfully connects to the tailnet server and has a tailnet client running (using caddy-tailscale plugin) but I still don’t know how to use that to authorize a user coming from a public domain through the browser when all I have is their IP address (not even their Tailscale IP).

I am completely willing to dig into anything here and change things around to support this, whatever it takes. Just pointing in the right direction would help me a lot right now.