You only need one incoming NAT if they are both on the same server since the vhost will do the rest. In my instance:
LAN: 172.16.0.254
WAN: 10.1.9.254
ROCKY: 172.16.0.10
VIP: 10.1.9.253
So my alias is webserver to 172.16.0.10 - so this is always the internal IP of the server in the LAN segment or wherever it is.
Therefore I would have one port forwarding for webserver. and the vhosts on my rocky machine would do the rest. The only time you need multiple port forward is if you are redirecting your web stuff to different servers with different public IP’s. Having multiple port forwards to the same IP would most likely be a bit confusing to be honest as which one would it choose? On my Fortigate it will only let me have one VIP/alias to the internal host. I cannot create multiple ones.
10.1.9.1 is the way my opnsense gets out to the internet as it’s behind a Fortigate which already serves my network. But the way it works is just the same with public IP’s on the wan.
Remember that in the port forward, the destination is either the firewall IP or one of the VIPS. The redirect is where you choose the alias for the webserver.