I'm setting up IPv6 to my ac2 with ROS 7.2.3 and have had success in getting it basically working, I have a /56 prefix from ISP, and IPs are assigned to my bridge(s) from the DHCP client pool. Client devices all work ok and pass IPv6 web tests.

I am now trying to add IPv6 support to Wireguard and here again I can get it to work by assigning an address from the same pool...
Then in the ROS Wireguard Peer "allowed addresses" I copy the generated address 2XXX:XXXX:XXXX:cc04::/64
and add 2XXX:XXXX:XXXX:cc04::2/128 as address on Android client, and it works well and I see this same address as client IP on any test site.
...the problem is this gives the Wireguard peer a static public IP which is unacceptable from a privacy/tracking pov.

I see e.g. Windows does address randomization by default, but it seems Wireguard Android client does not, or cannot because here a specific /128 address is being mandated.

How do I achieve randomization on my WG peer client?

I found some examples in my reading that suggested to assign fd00 addresses instead which can be NAT'ed, so:
with Android client set-up with Interface Addresses 192.168.98.2/32,fd00:11::2/128

I tried as a chancer but I have no idea what I'm doing and it doesn't work, breaks the Wireguard IPv6.

1) am I on the right track trying to use fd00 and NAT to achieve randomization?
2) how?

I don't see how NAT will help you, you'd still go out via your routers public, static IPv6 addr.
IPv6 NAT stands against something IPv6 tries to solve (get rid of NAT).
If IPv6 static addr is a privacy/tracking concern for you, maybe you should find another solution, as wireguard is not able alone to keep the peer configs in sync when you want to change your ipv6 addr.

I don't see how NAT will help you, you'd still go out via your routers public, static IPv6 addr.

I viewed it as analogous to NAT'ed clients going out behind a static WAN IPv4. The signal of an individual client is obscured in the noise of all the other clients sharing the same LAN.

I agree randomization on the WG client end is preferable, I wonder if the Android app interface addresses may be scripted to randomize somehow.