Verifying updates happen over Tor

I want to be sure all my TemplateVMs and StandaloneVMs update exclusively over Tor.

When I installed Qubes I checked the box to update dom0 and TemplateVMs over Tor but when I run ‘sudo apt update’ or ‘sudo dnf update’ in a TemplateVM it does not appear to update over Tor. Just Hit:1 https:// etc… instead of Hit:1 tor+https://

In /etc/qubes-rpc/policy/qubes.Updates.Proxy the first line is:
$type:TemplateVM $default allow,target=sys-whonix

There’s a difference between using an onion mirror and connecting over
tor+https is a mechanism to run apt via tor, by specifying onion
If you are using a Tor enabled netvm, you don’t need to do this since the
netvm will route the traffic via Tor for you. You can, of course, still
do so.
I don’t use Whonix so cant comment on what they do with apt requests at

tor+http(s) will not use an onion mirror but will simply use your local tor proxy at to connect to the normal clearnet repositories.

What do you mean with a ‘tor enabled netvm?’

In dom0 global settings I can see that the dom0 UpdateVM is set to sys-whonix. But I can’t find any way to verify that the TemplateVMs are also being updated over sys-whonix.

One possibility is that they are if I use the Qubes Update Tool, but not if I try to manually update them over the command line.

This is maybe what is meant by “these bypass built-in Qubes OS update security measures” as mentioned here: How to update | Qubes OS

What I’m looking for is confirmation that if I update using the Qubes Update tool, all updates do in fact go over Tor (using sys-whonix)