if I statically configure a laptop on port 3 with 192.168.43.3/24 it can ping the Juniper 192.168.43.1 gateway! Yay! That means the VLAN encapsulation must be working.
It must be working at least in the laptop->Juniper direction in terms that a tagless frame sent by the laptop gets tagged with VID 431 on its way to Juniper; it may not be working in terms that if a frame from Juniper makes it to the laptop, it may not get untagged on the way and the Windows driver will accept it anyway (they usually silently strip the VLAN tag and happily process the frame).
wouldn't a laptop plugged in like mine is in port 3 just pass the lease request straight through to the Juniper without any further configuration, so once I get my DHCP server on the Juniper listening on vlan 431 it would just serve up an address somewhere in the 192.168.43.0/24?
Correct, it should work like this. But I have no idea whether the Juniper DHCP server doesn't need to be specifically told to listen on trunk ports or something alike. And as you use hardware forwarding, the only way to see how it really looks at the wire between the Juniper and ether1 is to insert another bridge device between the two and sniff on it. Or you may try to create another bridge on the 2011, temporarily make ether9 and ether10 its /interface bridge port
(and set them to defaults in /interface ethernet switch port
section), connect ether1 to ether9 and ether10 to Juniper, and run /tool sniffer interface=ether9
with some dhcp client connected to one of ether3 .. ether5 to see whether the DHCPDISCOVER packets are tagged with VID 431 or not. But if all the port LEDs start blinking like mad, it means that there is an L2 loop because something leaks somewhere, and so you'll have to use an external device for sniffing.
Or do I really need to do anything else on the Mikrotik still (besides disabling DHCP server on Ports 3-5 and 6-10)? I still want to leave the default DHCP of 192.168.88.1/24 on Port 2 for device management, but I want all wireless clients and wired clients to get their DHCP lease from the Juniper.
To keep the IP subnet 192.168.88.0/24 with DHCP server of Mikrotik on ether2, just remove the ether2 from the bridge and attach the IP address and DHCP server directly to ether2 rather than the bridge. So to do that, connect your PC to ether2, log in, open an ssh connection or a terminal window in WebFig or Winbox, press Ctrl-X (save mode), copy-paste the following line into that window and press [Enter]:
/interface bridge port disable [find interface=ether2-master];/ip address set [find interface=bridge] interface=ether2-master;/ip dhcp-server set [find interface=bridge] interface=ether2-master
If you don't lose the connection after doing this, you can press Ctrl-X again and the management access will be completely independent from the bridge.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.