Honestly, it sounds like you are trying to get one router doing more than it should be being asked to do. Not really that it can't do it but there are two distinctly different purposes in play here.
we own the building and provide guest wireless, but we have tenants, other companies. We don’t need their people seeing our LAN. However, we are an MSP, so at the same time we may have Labtech agents on their machines that need to talk to support.mycomp.com by that external. We also may have PC’s in for repair on the technet, that may be infected with viruses or anything else, but we still need access to our tools from the web.
So yes, on the wifi I literally want it to go out the GuestWifi Net, out the external WAN that is set on and come right back in through the firewall as if it was a completely segregated network with its own firewall but without me stuffing anymore stuff in my racks.
The router is not going to send something out to the internet when it is destined for an address on the router itself. Maybe with policy routing. But it really sounds like things might make more sense if you had a Guest/ISP/Tenant firewall and an MSP/Development/Testing firewall.
All gets infinitely easier with a proper routed subnet you can use on an inside interface instead of this 1:1 + NAT reflection stuff.
To expand on your specific example (thank you for that) when you enable NAT reflection the NAT happens when the connection enters the GUESTWIFI interface. Then the firewall rules on that incoming interface are processed. When you connect from 172.16.2.16 to 123.234.111.226, the first thing that happens is the NAT reflection.
Now you are dealing with a connection from 172.16.2.16 to 10.50.0.22 as far as the firewall rules are concerned.
You are passing traffic on the GUESTWIFI interface to ! ip_TrustedNetworks Does that traffic match the post-NAT destination? I am guessing not as I am assuming 10.50.0.0/24 is included in the ip_TrustedNetworks alias.
(Blocking traffic using a pass to ! rule is another issue for another day. My advice is to BLOCK/REJECT to ip_TrustedNetworks then PASS to any)
So, on GUESTWIFI, you probably want to specifically pass the connections to the REAL IP ADDRESS of the destination host, 10.50.0.22 in this case (limiting to specific ports, etc ok here to, such as destination TCP 25, 587, 465, 110, 143, 993, and 995 for your typical, non-microsoft mail server.)