Duplicati TLS support is provided by the mono that is installed that it runs under, but I don’t think that can provide TLS 1.3. It got its TLS 1.2 in 2017 in version 4.8.0 by use of Google’s BoringSSL OpenSSL fork. Update BoringSSL fork #8004 is their open issue to update their code version, but it might never happen because Microsoft bought them and has been trying to move their capabilities (plus others’) into .NET 5.
You can try fiddling with these Duplicati flags, but I doubt you can get to TLS 1.3 if mono won’t support it:
--allowed-ssl-versions (Flags): Sets allowed SSL versions
This option changes the default SSL versions allowed. This is an advanced
option and should only be used if you want to enhance security or work
around an issue with a particular SSL protocol.
* values: Ssl3, Tls, Tls11, Tls12, SystemDefault, Tls13
* default value: SystemDefault
Rclone storage type in Duplicati can probably do WebDAV on TLS 1.3. I think Go’s library supports 1.3.
There may be performance and functionality losses from taking the path of using rclone to handle files.
So it’s kind of an issue about Synology bundling things together to your dislike? Might they take input? Possibly some Synology forum could suggest other ideas, maybe a different WebDAV server or proxy.