The whole thing is that UDP hole punching itself is a security threat. You do not have to do anything special in the Mikrotik configuration in order to enable UDP hole punching for its LAN clients provided that it has a public WAN address - the standard action=masquerade in srcnat chain is sufficient. The only thing you have to care about is that two LAN hosts would not use the same port on the local side to connect to the same remote address and port, as the second one would fail because the firewall would replace the local port with a random one on WAN.
It even works with a CGNAT WAN address, provided that the ISP keeps the local side port unchanged unless there is a conflict. But I do not know a single mobile operator that would keep the ports unchanged.