Setup VPN on the host via something like Wireguard and enable port-forward with your VPN for the HTTPS port.

Could also setup a very cheap VPS as a proxy that proxies connections over Tailscale to the BTCPay Server running elsewhere, would hide true IP address.