"But nevertheless one has to add another certificate exception in Firefox. This is because the exception is bound to a specific port and the webui and Syncthing ports differ. So it's no real advantage to use one certificate."
Sorry, but this is utter nonsense. TLS certs don't care one bit about the port they're used through, they care about the IPv4/6 addresses or DNS entries they're trusted for. If you connect through LAN, and it expects a WAN IP, you'll get a warning from Firefox. You can solve that problem by running dnsmasq somewhere on your LAN, where you let the domain name point to the LAN IP. If you resolve using that local dnsmasq, firefox doesn't require an exception.