You can add this in your sys-vpn qube to the file /rw/config/qubes-firewall-user-script, this will block all traffic that doesn’t belong to the VPN. Let’s say it’s a kill switch at Qubes OS level, even if the App doesn’t work correctly, the kill switch will be always enabled.
# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
I hope this helps.