Is there a sensible way to secure a publicly-exposed Webhook or Web Socket node using inbuilt tools or add-ons without using a third party service (eg: Webhook Relay), or is a local secure proxy (eg: Nginx) the way to go?
Any good writeups for setting things up?
I generally recommend using a proxy as the main part of such a solution. It is mostly easier and safer to correctly configure.
However, a 3rd-party intermediate service such as Cloudflare zero-trust can be better if your security skills are limited.
Just note that security websocket connections properly is somewhat more involved than securing HTTPS connections. This is because it isn't easy to have time limited sessions. Once the initial HTTPS handshake has finished and the user connection upgrades to WSS, you no longer have access to custom headers which is where you normally handle secure tokens for tracking sessions. So you may need to add the data to each message. If using Socket.IO rather than simple websockets, it has some additional features that let you include additional security data in the connection data.
I would 100% recommend using a cloudflare tunnel for your use-case as @TotallyInformation suggests. It's free, it's easy to setup and deals with http and ws perfectly well.
This is an old video showing how to expose node-red dashboard, although today is easier to configure the whole thing using cloudflare's UI: