You could create an alias for the inbound IPs for SIP/RTC and limit the source on the NAT rule with that alias. Then your WebRTC users will be unaffected because their src/dst/port triplet will not match that NAT. https://www.twilio.com/docs/api/voice/sip-interface - see IP address whitelist.
I have an installation with a single public IP address that uses an Asterisk PBX connected to a Twilio SIP Trunk. The provider does not offer additional IP addresses. Right now, in order for the SIP audio to work, I need to forward UDP ports 1-2 to the PBX since Twilio says media can come