I'm not a networking guy. Do you think that approach would work for a device behind CG-NAT? (i.e. route the IPv6 address over the WAN, rather than port forwarding; which I can't do because of the CG-NAT)
You mean you have CGNAT for IPv4 but a publically routable IPv6 delegated subnet? If so, sure, what I wrote depends only on the IPv6 delegated subnet. How you get your IPv4 address is not relevant to it.
What I'm saying is that if you can get, say, 2001:db8:1234::/48 delegated to your router, then:
1. You would configure your LAN to have the subnet 2001:db8:1234:1::/64
2. You would configure the webserver on your LAN to have a static IP like 2001:db8:1234:1::1
3. You would add a firewall rule in your router on the WAN interface to allow incoming TCP traffic with destination [2001:db8:1234:1::1]:443 . This rule would have higher precedence than the default rule that blocks all incoming traffic).
At this point, anyone in the world who attempts to reach 2001:db8:1234:1::1 will reach your ISP, which will route it to your router's WAN interface (because the ISP delegated the prefix to your router), which will allow the packet to cross from WAN to LAN because of the firewall rule, which will then route it to your webserver.
