Ahhh! This explains so much!
I had tried to copy my existing rules across from IPSEC tunnels to Wireguard and it just wasn't working like I expected.
I hadn't considered the gateway interface was doing NAT - make sense I guess when you think about it. Switching to Manual Outbound NAT and then disabling the WireGuard interface fixed it.
This really gets pretty messy when you're doing multiple site to site IPSEC migrations to wireguard (I was having poor performance using IPSEC / Starlink for what ever reason - Wireguard just seemed to work)
Can anyone recommend a pfsense / Wireguard guru that would we available to look over a proposed setup and provide best practice? Happy to pay - Id rather do it once correctly than introduce unnecessary workarounds and fixes to get it going. approx 20 sites, DC, Azure (pfsense)