AWS Cloudformation / EC2 Networking: Accessing EC2 instance from the internet

Question

I'd like to ssh to the client instance in this template from the internet.

https://github.com/aws-samples/aws-cloudhsm-cloudformation-template

The template for the VPC stack is here: https://github.com/aws-samples/aws-cloudhsm-cloudformation-template/blob/main/vpc.yaml

The template for the client instance stack is here: https://github.com/aws-samples/aws-cloudhsm-cloudformation-template/blob/main/cloudhsm.yaml

The cloudhsm stack is just put onto a private subnet of the vpc stack.

One approach I've tried is adding this NetworkInterfaces block to the rClientInstance, but I get Network interfaces and an instance-level subnet ID may not be specified on the same request

  rClientInstance:
    Type: AWS::EC2::Instance
    CreationPolicy:
      ResourceSignal:
        Count: 1
        Timeout: PT2H
    Properties:

      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeleteOnTermination: True
          SubnetId:  !Ref pClientInstanceSubnet
          DeviceIndex: 0
          GroupSet:
            - !Ref rClientInstanceSecurityGroup

I don't even know if this is the right approach. Maybe that's a public IP from the perspective of the host, not from the perspective of the VPC.

Maybe there's some way to set up routing in the VPC's internet gateway to expose one port. I don't know.