I've considered this further, and it's not going to work the way you think.
My suggestion doesn't _quite_ satisfy your goal - what it will do is open *both*
443 _and_ 8443 to the Internet.
Use dNAT rule to transform WAN IP:8443 into LAN IP:443
Add WAN_LOCAL firewall rule, allowing TCP 443 and specify destination LAN_IP
Above will not open port 443 on your WAN_IP !
Moreover , on WAN_LOCAL firewall rule, filter also on source IP , so only your external mgmt IPs can use the GUI remote.