Thanks @rubys I just found the solution.
Just as I was spinning up a minimal Rails app as per your suggestion, I googled to find the page about the config.hosts and why it’s a good idea:
I noticed it had a config.host_authorization part and so checked my code for this and found this in config/environments/production.rb:
# Skip DNS rebinding protection for the default health check endpoint.
# config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
After uncommenting the second line above and also removing the now unnecessary Fly host IP/port from my config.hosts in config/application.rb, I did another fly deploy and things worked fine!
Hopefully this will help others out there trying to deploy Rails apps! It’s probably a noob mistake on my part being relatively new to the framework, but it’s also nice to know these security measures are baked into the configuration.