@sindy: Thanks a lot for your comments and recommendations. I adjusted my config accordingly (replaced three mangle prerouting rules with a single rule, removed routing rule). But it did actually not change anything.
This is my current config for the wireguard-handling (only the explicitly added configuration to the “normal” existing config used for several years now):
/interface wireguard
add listen-port=37215 mtu=1420 name=WIREGUARD-IF
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=removed endpoint-port=\
3064 interface=WIREGUARD-IF name=peer-WIREGUARD-IF public-key=\
"removed"
/interface list
add name=MULLVAD_VLANs
/interface list member
add interface=vlan-clt list=MULLVAD_VLANs
/ip address
add address=removed(private-ip) comment="internal address for WIREGUARD-IF" \
interface=WIREGUARD-IF network=removed(private-ip)
/ip firewall address-list
add address=192.168.0.0/16 comment=\
"route traffic not through wg tunnel for internal nets" list=INTERNAL_NET
/ip firewall filter
add action=drop chain=input comment=\
"input chain: drop incoming traffic from wg tunnel" in-interface=\
WIREGUARD-IF
add action=drop chain=forward comment=\
"forward chain: drop incoming traffic from wg tunnel" \
connection-nat-state=!dstnat connection-state=new in-interface=\
WIREGUARD-IF
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"mark traffic to be routed through wg tunnel" disabled=no \
dst-address-list=!INTERNAL_NET in-interface-list=MULLVAD_VLANs \
log-prefix="mark routing:" new-routing-mark=rout-mullvad \
passthrough=no src-address=192.168.2.11
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"masquerade all outgoing communication to wg tunnel" out-interface=\
WIREGUARD-IF
/routing table
add disabled=no fib name=rout-mullvad
/ip route
add comment="rout marked traffic through wg tunnel" disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=WIREGUARD-IF routing-table=\
rout-mullvad scope=30 suppress-hw-offload=no target-scope=10
@anav: I don’t think it makes sense to post the whole configuration (I did in the past: http://forum.mikrotik.com/t/srcnat-is-undesiredly-applied-with-mark-routing/165868/14) - I appreciate if someone is trying to help me by understanding my configuration/problem, but I am sure no one is analyzing the complete configuration.
I guess the configuration snippet posted above should be okay and working but actually it is not. As soon as I enable the mangle prerouting rule, the test client 192.168.2.11 (which belongs to INTERNAL_NET) is not able to open any webpage (port 443) anymore. Pinging any destination (outside internal net) is not working either. DNS is still working (because Mikrotik router forwards DNS requests to internal pi-hole).
When removing the route described above and instead adding a manual route for the ip address resolving to whatismyip.uno with the gateway=WIREGUARD-IF the client is able to open https://whatismyip.uno/ which shows an ip address of the country the wireguard tunnel terminates in. So the tunnel, NAT and firewall filters should actually be working fine.
I want to have the flexibility to route only certain traffic through the tunnel by using that mangle prerouting rule. But I am not sure how to find the root cause for the problem 
Best regards,
cyb