Is your wireguard connection fully trusted? Currently you have it associated with the wan firewall zone, which would certainly be appropriate for a commercial VPN provider connection. However, if this is your own VPS and is trusted, you can put it in its own zone and it can then be more permissive (making the firewall config more straightforward).
If it is not fully trusted, the wan (or another zone that is similarly restricted) makes sense.