Please excuse my stupidity, but at the moment I feel as smart as a potato.
Found the issue by spoofing a test request as if it was coming from bunq (18.104.22.168). Firewall. Obviously!
The IP whitelist on the router was fine, but the whitelist on Caddy itself was wrong, missing the /22 subnet. So the router was allowing the connection but Caddy would block it with a 403. Strangely enough, this wasn't being logged (but successful requests were), and I found out that the log file for errors had the wrong permissions. My Caddyfile is managed automatically from script, so the only place I actually didn't bother checking was there. Turns out I never considered using CIDR notation before so the script would cut out everything after the /. So much trouble for such a small misconfiguration. Learning every day.
TL;DR Cascading issues and bad sysops skills. Everything solved.