Masquerade def seems to work.
Ping to cloudflare DNS sourced from GUA that’s not publicly routable.
[zuul@rtr-edge-02.jan1.us.ipa] > ping 2606:4700:4700::1111 src-address=200:c01d:c01a:beef::7ac0
SEQ HOST SIZE TTL TIME STATUS
0 2606:4700:4700::1111 56 57 14ms634us echo reply
1 2606:4700:4700::1111 56 57 16ms903us echo reply
2 2606:4700:4700::1111 56 57 14ms934us echo reply
3 2606:4700:4700::1111 56 57 14ms126us echo reply
4 2606:4700:4700::1111 56 57 16ms241us echo reply
5 2606:4700:4700::1111 56 57 16ms212us echo reply
6 2606:4700:4700::1111 56 57 15ms7us echo reply
7 2606:4700:4700::1111 56 57 15ms624us echo reply
sent=8 received=8 packet-loss=0% min-rtt=14ms126us avg-rtt=15ms460us max-rtt=16ms903us
NAT config
/ipv6 firewall nat
add action=masquerade chain=srcnat dst-address=2000::/3 src-address=\
200:c01d:c01a:beef::7ac0/128 to-address=2603:XXXX:XXXX:XXXX::2/128
Connection table entry
[zuul@rtr-edge-02.jan1.us.ipa] > ipv6/firewall/connection/print
Flags: S - SEEN REPLY
Columns: PROTOCOL, SRC-ADDRESS, DST-ADDRESS, TCP-STATE, TIMEOUT
# PROTOC SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEO
4 S icmpv6 200:c01d:c01a:beef::7ac0 2606:4700:4700::1111 29s