SOLVED - Default gateway block rule for wireguard gateway hosts not working

[burntoc]

So I'm routing a few of my Unraid containers with static IPs across a Wireguard VPN, while everything else goes out the default non-VPN gateway.  When I enable the VPN gateway the specified hosts (aliased on OPNsense) seem to follow the intended route out the VPN gateway - great.

So I also tried the "kill switch" steps from the guides I read to set a tag on that routing rule and to create a floating block rule on the non-VPN gateway interface that blocks traffic from those aliased hosts if the VPN goes down using the match tag option.  If I disable the VPN, however, the hosts are going out my default gateway instead of being blocked.  I mean, compared to the other stuff this part seems pretty dead simple.  I've restarted Wireguard, restarted the containers, etc. and it keeps behaving the same way. 

Anyone have ideas as to why this part wouldn't be working?

[burntoc]

Not sure if it took one or both of these things, but in my floating block rule I just rely on TAGS and left source ANY instead of the VPN hosts alias as it seems to not work right without that.  It may have also involved a firewall rule order issue, as I moved it up higher as well.