For bridge you can set nat rules by VyOS CLI.
I understand now I may have overcomplicated the issue. The problem is Podman CNI port-mapping, and the workaround is manually configuring NAT. Is this limited to DNAT or SNAT as well?
On the other hand, using macvlan with a virtual interface might still make sense for a few reasons. It would make container networking more explicit and consistent, possibly allow re-use of existing validation checks (e.g. IP range conflicts et al)?