The wiki diagram helped me too, thanks!

One thing I did not understand before: why SNAT must happen at POSTROUTING?

Because the exit interface is only known after the routing decision... before that kernel does not know which source IP to write

this visual schematic made it click for me - https://vectree.io/c/linux-netfilter-packet-flow-tables-chai...