Hotjar's Heatmaps will report both clicks and mouse movements which happen within same-origin iframes, relative to the iframe element, not the page inside.
When it comes to cross-origin iframes, such as iframes loading a YouTube video, Hotjar will only report clicks. These clicks will be centered on the iframe element.
Difference between same-origin and cross-origin
Same-origin means that the page loaded within the iframe is loaded from the same exact protocol and subdomain as the parent window.
Cross-origin policy applies when the page loaded within an iframe DOES NOT match the exact protocol and subdomain as the parent window.
For example, if the iframe is on a page at http://www.example.com. Same-origin will only apply if the page loaded within the iframe is also loaded from exactly http://www.example.com. If it's not, cross-origin policy applies since the iframe is loading a page not hosted on the same 'origin' as the parent window.
To create a Heatmap for a page within an iframe
Install the tracking code on the source page of the iframe
Create a new Heatmap snapshot for that iframe URL
This is the URL of iframe page itself, not the page the iframe element is present on.