does anyone know of a way to have the kolide fleet management UI accessible over a different port? We want our nodes to be able to access the server over 443 on public WAN but only have the web UI accessible internally over a different port to 443

You will want to put it behind a reverse proxy that can filter certain routes, such as nginx

This is what we are doing as well - using nginx to limit the UI path to specific source networks. Our laptop clients will only be able to hit the APIs related to registration and data streaming. Here is a good article about it https://defensivedepth.com/2020/04/02/kolide-fleet-breaking-out-the-osquery-api-web-ui