In teleworker, if the SSID isn't broadcasting then the VPN tunnel to the MX has not formed. Instead of relying on a random chance for the port number assignment, I would recommend setting it statically. If you go to Security & SD-WAN > Wireless Concentrator on the MX you're concentrating to, then you can define a NAT traversal of Manual: Port forwarding where you manually input the public IP and port. Now at the edge firewall create a port forward, pointing all traffic on the UDP port you specified to the IP of the MX.
What I think is happening is that somewhere along the path, port numbers are getting changed and firewalls are blocking the traffic. By creating the port forward you reduce the chance of traffic getting blocked if there is no corresponding outbound flow.
This recommendation isn't just for Teleworker VPN. I highly recommend this be done for EVERY hub in auto VPN. The spokes are harder to control and likely using templates, so I don't bother. But the hubs, it's a very simple change that reaps the most benefits.
Even if you decide to not do the port forward it's still worth it. By setting the manual port you are telling the MX to use that port all the time. If you don't have it, and the MX rebooted the port would change. Not only would all of the VPN tunnels all have to reform, but all of the UDP sessions would need to be rebuilt from scratch. By keeping the same port we can reduce the load.
In summary, I would make sure that the AP can form the VPN tunnel to the MX. Use manual port forwarding so that you can make sure that the traffic can get into your datacenter.
