Redirecting from 3rd party auth provider back to GlobalProtect Clientless VPN application

Thanks for everyone's insights on this in advance.

We are trying to expose an internally available web application (a self-hosted Git repository) through our GlobalProtect Clientless VPN. The challenge I'm trying to solve is setting the callback URL from our external authentication provider (Auth0) to redirect back to the portal address of the application, rather than the internal network address.

Since the application is being reverse proxied through the Clientless VPN, it isn't aware that it's being accessed through a Clientless VPN. After it reaches out to the auth provider, the redirect goes back to the internally hosted domain, which isn't publicly accessible.

Reviewing the docs at https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vp... led me to believe that perhaps I'm approaching this differently than I should be. Not seeing anything in there about modifying HTTP headers, it's leading me to think that either there's another way to do this directly within Panorama, or the recommendation is to use an intermediary proxy between the Clientless VPN and our application to set the appropriate headers, allowing the authentication callback to complete.

Additionally, in our portal configuration advanced settings, we've configured our auth provider's tenant URL to be on the rewrite exclude domain list. That part is working as expected.

Our VPN gateways are licensed with the necessary subscriptions, including Advanced URL Filtering and GlobalProtect Gateway. Our Panorama instance is running on PAN-OS 11.1.x.

If anyone has guidance that I can follow to configure this correctly, your time and input would be greatly appreciated. Thank you.