OK, so authoritative answers are as follows:
- DFW rules with NSX-T will only apply to resources attached to the N-VDS; NSX-T has no capability of applying firewall rules to VDS based port groups.
- For what it's worth, in NSX 2.4 there is a new feature called "Effective members" that only allows me to see vCenter based resources that I can actually apply firewall rules to in the UI.
- Upgrading to 2.4 fixed my issue; can now properly block between my virtual machines and DFW is operating as intended.