This was the magic sauce in my /etc/pf.conf

pass in log (to pflog3) on tap0 proto {udp, tcp} route-to wg0
pass out log (to pflog4) on wg0 received-on tap0 nat-to wg0

The logging was for debugging with tcpdump -t -i pflog3

Current final form

pass in on tap0 proto {udp, tcp} from 100.64.1.3 route-to wg0
pass out on wg0 proto {udp, tcp} to any port {domain, www, https} received-on tap0 nat-to wg0

I also noticed that if I set the VM’s DNS to 10.2.0.1 which is the proton resolver, I would see ICMP port unavailable messages bouncing from 10.2.0.2 on the tcpdump inside wg0. Something beyond my understanding with how pf works with the nat-to rule for addresses in the same interface/subnet.