Then that kind of defeats the objective of having the thing available over the Internet. However, not exposing the service directly to the Internet is a step in the right direction.
L2TP on its own offers no security. It's a tunnel, nothing more. If you're going to use L2TP then make sure you've got some layer of encryption, such as IPsec, on top of it. There are some niche use cases for using L2TP without encryption, but yours isn't one of those.
If you're going to use a VPN to permit only your chosen users to connect, I would suggest something like WireGuard (easy to set up, and lightweight; it's pretty fast when in use), Tailscale (WireGuard with a fancy GUI and some clever hacks to make it easier for the user to set up a WG mesh), or OpenVPN (uses certificates so is slightly more difficult to set up).
Or, if you've already got IPsec in place on top of L2TP, and it works for you, then feel free to stick with it. The important bit is that you employ some protection; the specific flavour of protection isn't as important as that it does what it's supposed to do.
The answer, as with all things I.T. related, is "it depends".
And what it depends on is how securely-configured it is and whether or not there are any vulnerabilities in the software on the router.
Personally, I would advise against doing so. I prefer single-function devices, for simplicity. The more things a device has to do, the more things that can go wrong and the more risk there is of one component introducing a vulnerability.
Instead, set up a different device to run the HTTP server and leave the router to route. That's it's job.
The above is only advice, which you are free to accept, adapt, or ignore as you see fit. Ultimately, it's your device and your network, so it's your choice how to proceed.