I knew when you described being behind CGNAT that you were talking about Starlink. Starlink isn’t necessarily a solution to your problems. I have it, and it’s recently been pretty slow where I am, and their support is famously difficult to work with. If you have a terrestrial option, it’s probably worth taking a good look at whether you really want Starlink. A few hours of reading in r/starlink may be able to help.
For your other issue, it seems like the best answer is for your employer to provide a VPN (a real VPN, hosted by the employer, not some janky BorgVPN thing whose only purpose is paying YouTubers to lie about what people use their service for.) That has the additional advantage of greatly simplifying the whitelist, which is good for security.
You might not even need it, depending on where you are in the world. Starlink assigns IPv6 addresses differently than they assign IPv4 addresses, so you could potentially use dynamic DNS as long as you stick to IPv6 for all of your services. Still a violation of the Starlink TOS, of course, but who hasn’t engaged in a little light TOS violation from time to time?