As per the documentation, you could either set webserver.acl to e.g. +10.100.0.0/24,+[fd08:4711::]/64 to restrict access, or bind the webserver to the wireguard addresses by setting webserver.port to e.g. 10.100.0.1:80,+[fd08:4711::1]:80.
Of course, you'd have to adjust addresses and ports to match those used by you.
webserver.port allows for very flexible configuration of Pi-hole's embedded webserver listening behaviour. Settings | All settings » Webserver and API has a quite comprehensive description.
All settings is available in Expert mode only.