Certificate-based VPN using AWS Site-to-Site VPN where customer gateway is behind CGNAT

I see that an IP address is not required for the customer gateway when you make a site to site VPN that is certificate-based, as described here:

https://repost.aws/knowledge-center/vpn-certificate-based-site-to-site

Does this mean that a connection can be made where the client is behind CGNAT? I need a site-to-site VPN from AWS VPN to a remote location where that remote location is using a cellular internet connection that uses CGNAT and isn't publicly addressable.

I have read the post here, but the answer seems a unclear (it states that the IP is optional, but also says it must be static, and if it is behind NAT it must be the public facing IP of the NAT device... but it is optional, so I don't understand why those other requirements are even relevant to the question):

https://repost.aws/questions/QUGJ-vwDbMR9uI8cfIbeWRfA/site-to-site-vpn-with-dynamic-wan-address-lte-starlink-etc