I'm not sure of the proper way to resolve this issue with systemd-resolved, but I was able to get to a more comfortable position in my case by disabling systemd-resolved and manually configuring my DNS servers in /etc/resolv.conf. Since the machine in question always sends all traffic over the VPN, I statically set the IP of the WireGuard server in the wg-quick config file so I wouldn't have to have public DNS in /etc/resolv.conf.

It appears that some testing is needed with WireGuard/wg-quick on systems using systemd-resolved. I'm happy to help test, but I'm not very familiar with systemd-resolved's inner workings, so I may be of limited use.