When I look at these zero trust solutions need 80/443 for what seems some type of bootstrapping
Better it happens using the same approach wireguard takes (udp/stateless). Though I'm not sure if there's more than just bootstrap taking place, maybe constant routing updates etc
Why do you think thats against the principles of zero trust? Wireguard is a wire transport, it has no control plane... I think what you are alluding to is the centralised control plane which makes it possible to operate at scale (and much more).
Better it happens using the same approach wireguard takes (udp/stateless). Though I'm not sure if there's more than just bootstrap taking place, maybe constant routing updates etc