interesting found, while the primary purpose of tailscale are easier P2P connection, I might take a look how this real Let's Encrypt certificate are being used for .local/custom FQDN and implement it on Lokal, appreciate it.
To do it they assign the host a subdomain under .ts.net. But your private host isn't exposed to the public internet, I assume they just have a dummy host there to respond to the ACME challenge from Let's Encrypt. When you have the Tailscale VPN installed, I assume it overrides the DNS for ___.ts.net to point to the private IP of your local host.