> add iptables to drop packets if there's no back and forth exchange of data, then you're good2go as fake/wrong keys don't use resources to determine if a key is legit or not.

How does an initial connection work in that scheme?

Seems like a pretty big footgun for questionable benefit, since a main benefit of Wireguard is that it’s very lean in terms of resources.