Safest way to implement inter-subnet wake-on-lan / Filtering API access

[function]

Hi, i have two servers in different subnets/VLANs and i'd like to enable one to wake-on-lan the other to initiate regular backups.

As far as i know from researching online, the two main options are either `os-wol` (via API) or actually transferring broadcast pakets which i assume is more prone to configuration errors by me.

Now the server that issues the WOL has HTTP/S forwarded and is therefore heavily isolated and is not allowed to talk to my firewall (i.e. can't curl the web interface for example).

Aside from the usual security measures like strong passwords, disabling root login, and minimal permissions per user, can i somehow set up firewall rules to allow the WOL-initiating server access to OPNsense's API but not the web interface so that it can't even attempt "regular user logins" if that makes sense?

Maybe i'm looking at this from the wrong angle and there is a completely different approach that's more secure. Please let me know and thank you for reading and any replies.