Attached is my network diagram. I have a Modem -> Router -> AP setup and want to forward port 443 through them. I have tried 3 configurations in the IP > Firewall > NAT but isn't able to get it to work. I have a domain sub.example.com with A record to 67.149.141.59. The goal is to have sub.example.com connect to the "Server" (in the diagram). How do I set this up correctly?

Any help would be greatly appreciated!

Does the MT router get the public IP address, if not you have to find a way to ensure data is forwarded from what would be a router/modem to the MT router.
I will assume the MT router DOES get the public IP.
Does the MT provide the subnet and DHCP for the google and follow on devices, its not clear.
Will assume it does.

Therefore you need two things ONE a generic firewall rule allowing port forwarding
TWO a destination nat rule to direct traffic from the WAN to to the server.

What is not working, (outside users are not able to reach the server, OR inside users not able to reach the server using the public WANIP address (hairpin nat special case)??
None of your destination NAT Rules are correct.

add action=dst-nat chain=dstnat comment=Put_In_Your_Own_Purpose dst-address-type=local \
dst-port=xxxx in-interface-list=WAN log=yes protocol=tcp \
to-addresses=192.168.0.44 (to ports=yyyy) NOTE: To ports only required if different from original destination port, often called port translation.

Seems like NAT behind NAT
MT SRC address should be empty.
DST address is MT WAN IP.
To address should (in double NAT case) be AP WAN IP , something like 192.168.88.111