This was very exciting.
I read some documentation. Specifically, https://docs.opnsense.org/manual/how-tos/nat_reflection.html.
Once I slowed down, undid all the weird thrashing I did with various DNS shortcuts for route domains internally/directly (e.g. changing my unbound config, or creating aliases for my domain), and instead read the documentation for both reflection and hairpin NAT in OpnSense, I was good to go.
Thank you for joining me on this journey where I create noise on the forum and discover that, by reading the manual, I can solve my own problems. 🙂