Whenever my prefix changes, I get a new set of addresses: a public one and a PE one, like these
inet6 2001:a:b:c:1:2:3:4a prefixlen 64 autoconf pltime 3600 vltime 7200
inet6 2001:a:b:c:1:2:3:4b prefixlen 64 autoconf temporary pltime 3600 vltime 7200
When the firewall itself sends a message, it properly uses the PE generated address. However, when a NATed client reaches out, it'll be NATed to the normal address. I tried to do this with aliases (by creating a "dynamic host" alias with the MAC-derived suffix) but then I'd need to invert this in order to match the PE address (which I can't predict and thus can't create an alias for), and then somehow put this into the NAT pool.
This doesn't seem to be possible, but hopefully I'm just overlooking something, like the checkbox that says "use only temporary addresses"? ;)