Do I understand correctly that it does not do hole-punching, and e.g. unlike with a VPN a host behind NAT will not be able to accept incoming connections?
This is correct in the sense of peering, however hosts behind a NAT can simply connect to any other host on the network such as a pubic peer and then they can accept incoming connections over the yggdrasil network.
I use yggdrasil for NAT hole punching my VPN, for example.
