Thx for the nft rules.
But I think there is a little issue there. The rules in nft need to have priority specified. If not, they get the priority depending on when they were created/evaluated. In the qubes-firewall-user-script the last rules are for blocking all eth0 traffic and then to allow vpn traffic. this two rules need to switch places:
# Allow traffic from the `qvpn` group to the uplink interface (eth0);
# Our VPN client will run with group `qvpn`.
nft add rule ip qubes output oifname eth0 skgid qvpn accept
# Block non-VPN traffic to clearnet
nft add rule ip qubes output oifname eth0 counter drop