@mikma No, Although port forwarding was something I tried along the way, along with policy based routing, in the end it was not necessary. In fact, let me stress this for anyone else who finds this thread: The tutorial on setting up Wireguard that is linked in the OpenWRT manual page on Wireguard (I've given the link twice above) works perfectly if you follow it exactly. The tutorial gives an example of an Android client, and I used TunSafe, but setting up the client is the easy part.
One thing that may not be clear from the tutorial is the encryption keys, so let me spell this out: First, the command he gives puts the client keys in whatever directory you run the commands in, and it puts the server keys in /etc/wireguard. To avoid confusion, after you execute the first command to create the directory /etc/wireguard, just change to that directory before running the two commands to generate the keys. Then all four key files will be in /etc/wireguard.
The other insight not spelled out at all in the tutorial, is that you will be generating PUBLIC and PRIVATE keys for both SERVER (your OpenWRT box) and CLIENT (your remote device). So when he tells you to enter the PRIVATE key, it's the SERVER PRIVATE key you want. And when he tells you to enter the PUBLIC key (in the PEERS section of the Wireguard interface), it's the CLIENT PUBLIC key you enter. On the other end, in your remote device client setup, it's vice versa: The PRIVATE key will be the CLIENT PRIVATE key you generated, and the PUBLIC key will be the SERVER PUBLIC key. I know this is obvious for the cognoscente, but it took me a day to get this simple reality into my head.
@lleachii I have done some reading, and you're right, there are many ways the Shields Up! port testing can be unrevealing, and in fact I guess I wasn't testing UDP. Also, I'm convinced that @psherman is correct, AT&T Wireless is in fact using cg-nat, so I was doomed from the start trying to use the LTE modem as an ISP for my OpenWRT Wireguard router. In my case it doesn't matter, because this is all on a test bench and when finally installed the router will be on a true routable "business class" IP, which is what I swapped to when I made my discovery. The LTE modem works great for remote access, i.e. connecting a Wireguard client to it.
I'll have to say again, Wireguard is truly amazing! Virtually instant connection, no perceptible overhead (blazing fast--or as fast as your internet connections on either end), and in fact really easy to set up in OpenWRT if you simply follow the tutorial linked above. There are other things you can do in the config, like restricting allowable clients, using "nonstandard" ports, etc. But for now, I'm happy, and I hope others find this thread and don't spend days pulling their hair out only to find that the problem is with their ISP. Try connecting with Remote Desktop first--that's how I found out that AT&T was sabotaging my work (it didn't work either)....