you should start by validating the condition and behavior of the wan link back to the controller from the perspective of the RAP LAN. There;s a few layers to that, but start with a tool like fping from a laptop on the same LAN as the rap and run a constant 24 hour ping of 1400 bytes to the RAP termination IP.
Now, that is not perfect because likely the public IP is some router in front of the controller that will respond itself (unlike udp/4500 which it will forward to the controller), but it's a starting point.
If that runs clean, then we need to peel the onion another layer, if that doesn't run clean then it's a separate issue.
from the controller CLI make sure commands that return small and large output are working correctly, e.g. a small command:
show datapath route ap-name <the ap>
a large command:
show ap debug radio-stats ap-name <the ap> radio 0 advanced
report back what you find for all of the above.
Finally, depending on whether large commands are working or not, you can run "show ap debug system-status ap-name <the ap>" and the top 20 or so lines will tell something about why the AP felt the controller went away, grab that info to (if the command works at all, per the above)