Not a
cal.com dev, but my 2c as someone who has set this up more than a few times:
What you are seeing is expected behavior. From the perspective of the nodejs host, it will should bind to 0.0.0.0:3000, regardless of the settings of the URLs. The only parameter that will affect the host binding is the PORT environment variable.
Setting values for BASE_URL, NEXTAUTH_URL, etc.. are for the application to know how to render links on the UI, and for the auth service to know where to reach out to get session ID information (the same localhost instance in this case.)
However, the URL values
should be configured to whatever public URL you have configured that points back to your instance.
A little bit of context here: The whole application kind of assumes it's running behind a proxy/load balancer of some kind, as is the case with Vercel/Heroku/Etc... and that these front-ends are doing SSL offloading.
You
could hypothetically directly expose it to the internet, you'd just need to set the PORT to 80. However you would not be able to secure the site with SSL doing that.