That's actually how my network is configured. I own two domains, one is for public facing services and one is used only internally. I add all records for the internal ones to my Windows DNS server so it only resolves internally or when I'm connected to a VPN.
The internal domain also exists publicly with Cloudflare (but doesn't have any records except a CAA), I can use the DNS-01 challenge with Cloudflare's API to get certificates for it.
Though normally I use my own private PKI for the internal name, since I have some older devices that can't have renewal be easily automated.