It’s two different chains, the order is set in stone, it’s always dstnat first and srcnat after that, no matter in which order you add rules. See image in this post.
Dstnat looks for connection to : with protocol and when there’s such, it changes destination to :<target port, if it’s different>. You can omit to-ports option if you’re not changing the port. Router knows where is, so it it will send packet there. And srcnat rule is simplified one, if packets come from , it will change source to . If is going to be accessing only device through tunnel, it’s ok like this. If you have also other forwarded ports to some local servers that could be accessing, add dst-address= to srcnat rule, to make it apply only to tunneled traffic.
Packets belonging to established connections are handled automatically, you don’t need any manual config for them.