Just an observation from someone with just enough knowledge to be dangerous - I've always understood the modem to just provide access to the internet and the device your ISP sees that determines the IP they issue you... I bought my own modem (Arris SB8200) for my Xfinity service, but it's just that - a modem with zero routing or intelligence. There is no port forwarding etc required. My Flint 2 MT6000 wan port connects to my modem and provides all the routing.
It sounds like your Xfinity 'modem' is one of those all-in-one modem/router/wifi devices? If that's the case there may be a way to disable all the uneeded functionality from the Xfinity device so your GL router gets that role instead. OR, save some rental money and replace the (usually crappy) Xfinity gear with your own modem. ISP's usually provide gateway devices catered to the 'average dumb consumer' and often either lack features more advanced users may want or even worse, block them from working.
I've got WireGuard running on my Flint 2 and it works like a charm. I don't think I had to do much of a setup other than create a vpn user and create the config file. I'm using GL's built in DDNS option as my Xfinity service is dynamic rather than static. And when I'm away from home, the WG client connects virtually instantly to my home network - it's sooo much faster than the Openvpn setup I used to use.