I finally solved this, I think. The full details are now in the bug report https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106398
TL;DR: The hotspot was set up reasonably, so that packets going through it are forwarded for handling by the rest of the system. But I had previously used Docker on this system, and *it* set up a forwarding rule which allows forwarding from/to the docker network, but not any other network. And that rule was having the last word.
