the only way i can see it working is if the remote service you connect to via wireguard and your bunker is running on your machine listening on your wireguard address... then the key is in your possession on your computer and not copied to another machine

there might be other ways to make a tunnel, but i know i can do it this way with wireguard already, it is very easy, i run my relay this way and it makes it internet accessible, i can even put all kinds of subdomains to point at any number of web servers i want to run