I would use an existing product, maybe something like cloudflare tunnels.

Hi, I have worked on security teams, done supplier assessments and built infrastructure / deployed vendor agents.

Both of these options (assuming best practice configuration) would be acceptable to any security team I've worked on based on the fundamentals. But the limitations of corporate environments and processes mean that one is much easier than the other.

Practically speaking, supplier assessment forms usually have standard paths for TLS, endpoints, settings / ciphers etc. The paperwork is more complicated for WireGuard because there are no "boxes" for it, you have to write out lengthy explanations into spreadsheet cells. It produces a small feeling of discomfort for people filling out and reading form because it does not look "completely standard".

With my deployer hat on - TLS is the happy path. As a deployer, you often don't "own" the network, that's a separate team. These teams (and their equipment) very greatly in their capacity, sometimes they are excellent, sometimes they are dysfunctional. There is usually a standard process or form for "TLS egress to XYZ" - but anything that is NOT this will trigger a complicated workflow requiring actual meetings and people looking at architectures and diagrams etc. You will basically find it "impossible" to deploy into some customer environments if you don't go with TLS, that is the bitter reason why everyone uses it despite other things being "better" along certain dimensions.

Even mTLS or non-public CAs won't work "out of the box" if there is a middlebox that does inspection by terminating and re-establishing the TLS connection. There is usually a ticket / standard process for this - but some customers will need hand-holding through that. That (plus the practical difficulties of terminating it in cloud, which are not so bad in 2025 anymore) is one reason mTLS is not more widely used.