If the issue persists, it must be due to using a domain name for the endpoint.
To avoid deadlocks in that case, WireGuard activation should be delayed until connectivity check reports success:
CON_UUID="$(nmcli -g TYPE,UUID connection show \
| awk -F ":" -e '$1=="wireguard"{print $2}')"
for CON_UUID in ${CON_UUID}
do sudo nmcli connection modify uuid ${CON_UUID} \
connection.autoconnect no
done
sudo tee /etc/NetworkManager/\
dispatcher.d/00-wireguard << "EOF" > /dev/null
#!/usr/bin/bash
CON_UUID="$(nmcli -g TYPE,UUID connection show \
| awk -F ":" -e '$1=="wireguard"{print $2;exit}')"
CON_STATE="$(nmcli -g GENERAL.STATE \
connection show uuid "${CON_UUID}")"
if [ "${NM_DISPATCHER_ACTION}" = "connectivity-change" ] \
&& [ "${CONNECTIVITY_STATE}" = "FULL" ] \
&& [ "${CON_STATE}" != "activated" ]
then nmcli connection up uuid "${CON_UUID}"
fi
EOF
sudo chmod +x /etc/NetworkManager/dispatcher.d/*