So I was able to solve it by renaming the existing public repo to something else (I went with “deprecated”), adding a custom domain to the private repo workflow, reconfiguring my DNS records, and re-triggering the build in the private repo.
The answer, as usual, was in the docs. Thanks for your help, @davidsneighbour, your questions prompted me to remember the DNS haiku:
It’s not DNS.
There’s no way it’s DNS.
It was DNS.