If you’re behind a CG NAT (carrier grade NAT), you’ll be doubly in trouble as it will be essentially impossible to get a forwarded port since your “IP” is essentially a LAN address within your ISP’s CG NAT, if that makes sense.

Many ISPs block some traffic on those ports for residential customers in order to force you to use a much more costly business account to be able to host your own website.

If you’re already using cloudflare, I’d recommend a cloudflare tunnel to your reverse proxy.

As was said, many ISPs will block port 80/443, but they won’t be seeing it that way with a tunnel. You’ll also get some cloudflare protections in front of your services.

See to what IP your domain points, and if that’s really the external IP of your router. Might also help to put in your IP address into the webbrowser instead of the domain, to see if port 80 / 443 really go somewhere. Another possibility, do a portscan from the internet.

Btw, how do you access Wireguard? I mean that’s also somehow able to access your network from outside…

why do you forward the port of the webui?

my router and my reverse proxy (traefik) is able to receive the necessary SSL/TLS certificates however

From something like LetsEncrypt?
As an HTTP-01 Challenge? Not an DNS-01 challenge?
Http challenge means that port 80 is accessible from the public internet (because that’s how LE can confirm it can reach your server via the public DNS records, proof of server ownership).
DNS-01 is about proof of DNS record ownership, and doesn’t prove public internet access.

Also, what are you self hosting?
Does it really need to be publicly accessible? Or just accessible by you and people you trust?