Bingo. sudo ufw allow 443/tcp fixed it.
I'm running an Ubuntu 22.04 virtual machine inside Hyper-V on Windows 11.
And I also now see the helpful comments in pihole.toml regarding how to create a private .pem certificate and where to store it.
Thanks!