perhaps it makes more sense for the guest wlan to be physical in ap mode (and the hotspot connection to be virtual in station mode).
This is not possible. The STA (station, client) must follow the frequency of the AP it is associated to, so the physical wireless interface must be in station mode, and the AP(s) must be the virtual one(s).
Once you connect the LTE device using Ethernet, you have to reconfigure the WLAN, as the Mikrotik STA interface will keep switching channel to find the AP and the clients of the virtual APs will be unable to keep track with that (been there, seen that).
Have you considered to use a wAP ac LTE kit?
And then I have to figure out how to get reliable remote access when I'm away from the boat - which means some sort of dynamic dns setup if the ISP changes IP addresses.
The best way here is a VPN where the sailing Tik acts as a client/initiator and connects to a server/responder with a static public IP address, so the IP of the sailing Tik need even not be a public one (leaving aside that I have seen a U.S. mobile operator to assign public IPs to LTE devices but these were not routable from the internet and outgoing connections from those devices got NATed to other public addresses).
If you want/have to stick with directly connecting to the sailing Tik, a dynamic DNS domain name comes bundled with every Mikrotik device, they call it "cloud" service. It did have a several days outage a few months ago, though, so a backup service is highly recommended.
Compliucation here is that it'snot just access to the webfig, but some on boartd devices have web interfaces for monitoring and management - so I guess I either have to ex[pose the entire network or port forward the specific adderesses/services I want remote access to.
Also here I'd say a VPN is a better solution, and in fact the only secure one if some of the web interfaces do not support HTTPS. Port forwarding works, but the method of protecting credentials in HTTP is too weak by today's standards. Restricting access to only a list of allowed addresses is possible (but not nearly as secure as a VPN), plus if you do have static addresses to put on that list, you should be able to run a VPN server on one of them. And then you can connect your laptop or phone to the same VPN and access everyting in the boat LAN from anywhere.