I guess my fix was simpler than your, because I knew I wanted everything vpn tunneled via wg, and only had one device that need exposure.
But @pavelgl provided me a link, that you may have already read.
You want nothing but a vpn and a port fwd to see when you're in the cloud accessing your vpn correct?
EDIT
Thank You ~ gonna let your last comment percolate while I stew on CGNAT.
This is where we are and can't ping bidirectional (wg) as we are on ISP w/ working port fwd.
33.129.202.22 via 192.168.3.1 dev wlan0
192.168.1.0/24 dev br-lan scope link src 192.168.1.1
192.168.3.0/24 dev wlan0 scope link src 192.168.3.```