I had this battle when I was setting up our system as well.
What we decided to do was to run Ignition in AWS which we then connect to via an onsite VPN. This means it technically has a public IP however the AWS EC2 instance’s firewall only allows access via the VPN IP, essentially making it private. We then also have all of our local devices tunnel through a site-to-site VPN which allows for the local machines to connect to the cloud Ignition instance. So anyone on our local network (requires login credentials) or with VPN credentials is able to connect to the Ignition instance.
I had to learn quite the bit more networking to iron this one out.