I have successfully established an IPSec tunnel via a software VPN Client (running on a PC with local IP 10.42.1.43) to a Mikrotik router. If I specify the correct IP-range of the LAN behind the router (192.168.2.0/24) the remote PC has access to the entire LAN.
That's nice, but that is not what I want. Instead I want to limit access through the VPN to only one IP:port inside the LAN (192.168.2.20:80).

I have a second requirement to the solution: I also want to be able to change that IP-address (192.168.2.20) the remote client has access to, without "the client side knowing" or the need to make changes on the client side, to eg 192.168.2.21.

How can I achieve that? Being a novice I figure a solution could be to define a non-existant IP-(range) (like 192.168.33.1/32) in the ipsec policy, and then have a (NAT)-rule that would make sure that VPN traffic coming from 192.168.33.1 is forwarded to 192.168.2.20 (or any other address I might change it to in the future) - only for port 80.

According to the standard, the traffic selector of an IPsec policy can indeed be as narrow as to specify two IP:port tuples and a protocol. The client may not be fully compliant, though.

As for changing the address at Mikrotik side transparently to the client, your suggestion regarding NAT is correct.

Yes, the NAT rule solved the problem nicely. I forward traffic from the imaginary VPN address 192.168.33.1 to the actual PC inside the LAN (192.168.2.20). In addition I only allow port 80 in the NAT rule, so that solves my problem of limiting traffic to port 80 only.
As a result the remote VPN client can only access 192.168.33.1:80 - just like I wanted.

Are there any other security concerns? Should I have to add firewall rules that limit access from 192.168.33.1 to any other subnet (like 192.168.2.0/24)?
Thank you for your help!