I'm struggling with how to configure a production instance of Keycloak.

Here is my particular setup:
I'm deploying the docker image quay.io/keycloak/keycloak:18.0.0 (quarkus version) to an Azure Kubernetes (k8s) cluster. Everything in my deployment is in a private intranet except a public facing gateway/waf.

Client traffic is coming in from the internet to a public endpoint of:
https://mydomain.com/keycloak

This traffic is forwarded from a gateway to a (private) Azure API Manager (APIM) instance.
From APIM, I redirect to the actual backend keycloak service running in K8s.

The k8s keycloak service is fronted by an Azure load balancer on a fixed private IP - call it 10.20.3.60.
I created a private DNS record for 10.20.3.60 with a hostname keycloak.internal.private.
I cut a self-signed certificate for 'CN=keycloak.internal.private' and configured keycloak to use it so the traffic to keycloak is encrypted internally.
(I'm also port mapping the internal 8443 port to 443 on the load balancer).

So the external TLS is being terminated at APIM, then forwarded as another TLS request to an internal hostname.

So I have:
(External) https://mydomain.com/keycloak ->
[gateway] -> [APIM] ->
(Internal) https://keycloak.internal.private
-> [k8s pod] - keycloak listening on 0.0.0.0:8443

So far so good, I have it deployed and I can hit the keycloak /health endpoint on the external and internal URLs.
https://mydomain.com/keycloak/health
https://keycloak.internal.private/health

Now it's a little hazy how to complete the configuration.
I (think) I need:

1. To be able to access the keycloak web console from my intranet - eg) https://keycloak.internal.private/admin/*
2. For internal services to be able to communicate with keycloak to validate token signatures, etc.
3. For external clients to request auth tokens, etc. - eg) https://mydomain.com/keycloak/myrealm/auth

I'm confused on how these parameters need to be set up:
KC_HOSTNAME, KC_HOSTNAME_PORT, KC_HOSTNAME_STRICT_BACKCHANNEL, KC_PROXY

I think I'm maybe confused because I have two hostnames, essentially - and some of the terminology used in the guides feels ambiguous in this case.

KC_HOSTNAME - Do I use my internal or external hostname? I assume internal - since I need keycloak to construct correct web urls when using the admin web console. But will this affect external clients in any way? Like If I'm brokering to an external identify provider - will the redirect URLs incorrectly try to use my internal hostname or other similar effects?

KC_PROXY - edge, reencrypt, passthrough - What mode describes my scenario?

If I'm passing /auth requests from the internet through APIM, the scenario looks like reencrypt.
TLS is terminated at APIM, then the request forwarded as another TLS request to my internal hostname.

If I'm hitting the admin console from within my intranet there is no reverse-proxy terminating TLS.
The docs don't actually describe what effects these have - or address different scenarios for internal/external traffic. I don't quite understand why keycloak needs to know if my proxy is terminating TLS and re-encrypting or not- seems like that would be invisible to keycloak.

KC_HOSTNAME_STRICT_BACKCHANNEL - ? I want this false? - but the name is confusing. It seems like I'd only want backend endpoints to be accessible internally, but the docs say to set it to true when all traffic hits the public url.

KC_HOSTNAME_PORT - do I need to mess with this - the actual keycloak service is listing on 8443, but the k8s service is listening on 443.

I appreciate any help/enlightenment anyone can provide.
Thanks!