I am currently running Spotify from a flatpak installation and just yesterday I had troubles updating it because it could not simply work around my firewall rules.
Check your firewall / networking settings. How do you connect the VM(s) to the Internet. Maybe, by accident, you connected the template directly to a net VM instead of a firewall VM?
Without modification, a template should not even be able to install a flatpak, because the software does not use the Qubes update proxy by default. You would need to connect your template to a netVM at first.
Moreover: it can’t be related to flatpack - or any other application, as the firewall just don’t know (and don’t care) what application is initiating the connection.
Firewall rules are based on AppVMs. (as a src IP)
Yes, the instructions as posted simply don’t (and cant) produce a
situation where the firewall is circumvented.
So the questions is, what made OP think that the firewall rules were
bypassed?
I tried limit outgoing to a blank list in the Qube setting and Chromium past too. There was an update since the posting which I did not apply yet. I guess the template is taken.