Dynatrace Managed node needs 443 (inbound) for UI traffic (coming from the browser) and 8443 for monitoring traffic (coming from the agents or private/public managed gateways). Here your understanding is correct.
The other port 443 from your question is a MissionControl port. MissionControl is in the cloud and the cluster connects to it, so it needs outbound connectivity on that port. Not necessarily direct connectivity, it can be via configured proxy. It can also be restricted only to MC public IP address. But it needs to be able to reach https://mcsvc.dynatrace.com
Inbound and outbound connectivity are two separate things.