VPN access point on raspberry pi not working (clients don’t have internet access)

I’m building a Raspberry Pi 3B as a Wi-Fi AP/gateway. The specs are:
Raspberry Pi OS 64-bit (Debian Trixie-based), kernel 6.12.47+rpt-rpi-v8

The Goal:
Route Wi-Fi clients only through a VPN interface (NordVPN, interface name nordlynx).

What I did:
Installed and configured hostapd and dnsmasq. Both are working, once I connect a device to the pi’s wifi, it receives an IP address.
Generally allowed IPv4 forwarding:
sudo sysctl -w net.ipv4.ip_forward=1

After connecting to nordvpn added the following IPtables rules:

VPNIF="nordlynx"
LANIF="wlan0"
LANNET="10.42.0.0/24"

# Allow established/related back in
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow Wi-Fi clients out ONLY via VPN
sudo iptables -A FORWARD -i "$LANIF" -o "$VPNIF" -s "$LANNET" -j ACCEPT

# NAT (masquerade) clients behind VPN
sudo iptables -t nat -A POSTROUTING -s "$LANNET" -o "$VPNIF" -j MASQUERADE

Also (because client’s didn’t get an IP address assigned after nordvpn connected):
sudo nordvpn set firewall off

Set an explicit route:

echo "200 wifivpn" | sudo tee -a /etc/iproute2/rt_tables
sudo ip route add default dev nordlynx table wifivpn
sudo ip rule add from 10.42.0.0/24 table wifivpn priority 1000
sudo ip route flush cache

Problem: WiFi clients cannot connect to the internet. What is wrong here? Do I need different routing or other IPtables?