I found some info here: ECH Protocol | Cloudflare SSL/TLS docs
For some reason, when I have a tunnel, it forces ECH to use that outer domain, but for some reason it just connects to the wrong server with the wrong ECH outer domain. Cloudflare enforces that ECH somehow with maybe a hidden DNS entry or something, which is not overriden and causes my clients to wrongfully execute the ECH with that cloudflare domain.