I've noticed that the rules set in the Qubes firewall for VMs connected to sys-whonix are completely ignored. All traffic goes through. The Whonix wiki warns about it:
https://www.whonix.org/wiki/Qubes/Firewall#Whonix-Workstation_Firewall
Easy solution: create named disposable sys-whonix-fw based on Debian or Fedora (just like sys-firewall or sys-vpn-fw), then connect your VMs to sys-whonix-fw insteaad of sys-whonix. Now all traffic with be filtered by the Qubes firewall.
EDIT: This even allows for filtering .onion addresses in the Qubes VM firewall (if you don't mind painstakingly typing an Onion v3 address, since copypasting to dom0 is disabled and discouraged).