I just learned that #Wireguard will automatically and correctly clamp any private 32-byte key.
For example:
$ openssl rand -base64 32
tx6Kwv9L17ARq8WOd0M3sjm8gKU8bmdoSeBoGTzyEyY=
Even though the first and last bytes are not properly clamped above, when generating the public key, the wg(8) tool will clamp it. Further, when bringing up the interface, Wireguard will also clamp it.
See https://git.zx2c4.com/wireguard-tools/tree/src/genkey.c and https://git.zx2c4.com/wireguard-linux/tree/drivers/net/wireguard/noise.c (search for "curve25519_clamp_secret")