Don’t use TLS / HTTP handlers, but raw TCP instead (docs | code), and the app should now be able to serve raw TCP and do TLS termination as need be. If you’re doing QUIC (UDP), it is much more trickier on Fly (see).
You can most definitely vend certs elsewhere and plonk them in to your Fly app via fly secrets (that’s what we do).
You shouldn’t have to move the registration of your domain over to Fly, I don’t think so. Per docs, it is enough to set up either CNAME or AAAA / A records to have Fly vend Let’s Encrypt TLS certs and manage them for you at their (edge) proxy.
This is a better option since you don’t have to worry about renewing certs on time, revoking certs in case of compromise, or handling its private keys. Note that, vending beyond 10 Fly-managed TLS certs isn’t free (pricing).
That said, you could also explore using a L3 (IP) load balancer (typically expensive, like Cloudflare’s MagicTransit) than the L4/L7 (TCP/UDP/HTTP) one that Fly has.