If it's happening at bootup it could be a race condition. WG needs the time set to handshake. Unless your device has a real time clock (RTC) time is handled by the network time protocol (NTP) daemon which, of course, requires a WAN connection. It also requires DNS to be online. The problem is all network interfaces — including WG — come up at the same time. While the DNS, then time, is being looked up the WG tunnel could be trying to establish but failing to authenticate.
This also applies when using DOH or DOT as the TLS also needs the correct time.
Here is how to set the NTP server DNS & their corresponding IPs as found @ Luci -> System -> Time Synchronization. This removes the DNS dependency for NTPd:
uci set system.@timeserver[0].server='0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org 2.openwrt.pool.ntp.org 3.openwrt.pool.ntp.org 104.167.241.197 73.239.145.47 142.147.88.111 171.66.97.126'
uci commit system
service system restart
If just changing the connectivity state (eg: ifdown/ifup wan) the WG interface should automatically be apart of that process (logread -e netifd). Other than that the wireguard_watchdog script should be set in cron to periodically poll the DDNS used for the Endpoint. service cron restart after configuring.