No worries, no such thing as a stupid question.
Yes, you are simply moving the vulnerability. No, you can’t use any reverse proxy program to remove the requirement to expose a port.
I mean, how do you intend for traffic to reach the reverse proxy if there’s no ports open on the router? If you need access via the public internet, there has to be at least one. You just get to pick which.
Moving it to a non-standard port has benefits. Lots of bots/scripts/etc crawl the internet, testing known default ports. You will dodge much simple automated probing - not all, but most.
I would consider RDP secure enough to use on a non-standard port for non-business-critical or small-scale systems. The gold standard, though, is to have a certificate-based VPN server be the only point of entry to a hardened VLAN, and then authenticate to an RDP gateway over your private network.
One nitpick regarding terminology:
Just to be sure I’m unambiguous, I am not suggesting you forward 3389 to another - I am suggesting that you close 3389 externally, and forward an arbitrary high port number (e.g. 38459) to your RDP host instead.