These have been there atleast from 388.2. This wouldn't typically be an issue for anyone else unless they are using the same vpn as you. May I ask which vpn provider you have?I wonder if this route is something new in 388.4 cause the few other posts about port forwarding via WireGuard haven't come across this issue yet but they are older threads so chances are they were using an older firmware version.
Unless your port test was done from your vpn provider own service it appears your vpn provider MASQUARADES port forwarded packets which is stupid in more ways than one.
Firstly it creates routing difficulties like in our case since the vpn tunnel to this ip must be over wan. Many implementation uses wireguard build-in fwmarks for this but some don't. Like our routers where fwmarks are already used by ai protect.
Secondly, if you create a local service accessible from internet you surely would like to know which are using it so you could prevent bots and track potential threats.