Do you know how to add Iptables entries to the DOCKER-USER chain?
Maybe this will help you. https://docs.docker.com/network/packet-filtering-firewalls/
iptables is a global server configuration. Not only do you need to add iptables rules to docker, if you give your friend access through Wireguard you would also need to add rules to the Wireguard tunnel if you want him to only be able to access one IP. Configuring iptables is complicated, which is why I still think that you should not give your friend access through Wireguard but through a shared domain on the internet.