There are two things: 1) the libvirt zone - these are managed through firewalld and visible in firewalld UIs 2) libvirt's iptables rules - there are completely separate and independent from firewalld - this is what's blocking the traffic to your VM
Also, wouldn't one expect the rules to be the same for IPv4 and IPv6? Hope the network diagram attachment makes it.I don't recall what libvirt does for IPv6. But it's a different matter because IPv6 likely is using NAT/masquerade.