I have tried everything I can think of, and nothing has worked.

I started with a reasonably simple setup:

Internet--> DSL Modem--> 192.168.0.x -->router-->192.168.1.x-->AP (bridged)-->192.168.1.x

With the above setup, I have a single subnet and all computers (wired and wireless can talk to each other and to the internet)  Everything above works fine.

Now I want to add a private 'guest' wireless network which can only access  the LAN (192.168.1.x).  The reason for this is that I have a bunch of wireless sensors, that need to connect to an MQTT broker, but I don't want to expose my primary SSID password, and do not want these sensors to have any access to the internet.

So my new setup would look like:

Internet--> DSL Modem--> 192.168.0.x -->router-->192.168.1.x---->AP(192.168.1.2)-->192.168.1.x
                                                                                                              |
                                                                                                              +-------->192.168.3.x

The router is the gateway for the 192.168.1.x domain, and handles DHCP requests for that subnet

The AP has 2 wireless networks:
''wlan' is bridged to 'lan' (192.168.1.x)
'sensors' is connected to the 'sensors' interface (192.168.3.x)
The AP is a gateway for the 192.168.3.x subnet

Now I thought I would set up a NAT between the 192.168.3.x subnet and the 192.168.1.x subnet, but no matter what I do, I can't seem to get it to work.

Current status:
All wired and wireless computers on the 192.168.1.x subnet can talk to each other and the internet
All wireless sensors on the 192.168.3.x subnet can talk to each other and the 192.168.3.1 gateway (but not to the 192.168.1.x subnet or the internet)

The router is an Ubiquiti EdgeRouterX, but I don't think that is relevant, since I am not trying to route from the 192.168.1.x subnet to the 192.168.3.x subnet.

AP is running OpenWRT:
/etc/config/network:

config interface 'lan'
        option ifname 'eth0.1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'
        option gateway '192.168.1.1'
        option delegate '0'
config interface 'sensors'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option gateway '192.168.3.1'

/etc/config/wireless

config wifi-iface
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'wlan'
        option encryption 'psk2'
        option key 'yyyyyyyyyyyyyy'

config wifi-iface
        option device 'radio0'
        option network 'sensors'
        option mode 'ap'
        option ssid 'sensors'
        option encryption 'psk2'
        option key 'xxxxxxxxxxxxxxx'

/etc/config/firewall

config defaults                                 
        option syn_flood '1'                    
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'REJECT'                 
                                                
config zone                                     
        option name 'lan'                       
        list network 'lan'                      
        option input 'ACCEPT'                   
        option output 'ACCEPT'                  
        option forward 'ACCEPT'                 
 
config zone                    
        option name 'sensors'  
        list network 'sensors' 
        option input 'ACCEPT'  
        option output 'ACCEPT' 
        option forward 'REJECT'
        option masq '1'        
        option mtu_fix '1'     
 
config forwarding                     
        option src 'sensors'          
        option dest 'lan'             

Does anyone have an idea why this isn't working?

To run NAT, enable masq on the destination zone (lan) not the source zone (sensors).

Thank you so much.  That seems to have done the trick.