Point 2 is solvable by only matching the host part (last 64bit) of the IPv6 address. Something like this:
config rule
option src wan
option dest lan
option proto tcp
option dest_port 443
option dest_ip ::d63d:b86c:1778:d43e/::ffff:ffff:ffff:ffff
option target accept