Did you separate the Xbox to a physical VLAN port? It’s known that if you use an Xbox One on the same physical network as your other devices with different firewall rules, it will use uPnP to ignore the firewall rules you set.
I achieved this seamlessly by using an OpenWRT router of mine and two separate WiFi networks through the built in switch on the consumer router.
It is also known that one Xbox of the two will say the port is unavailable but is indeed being forwarded ports 0-65535, and play online as if it has an open port. The other Xbox will say open.
Also you don’t need to exclude the port 3074 from the allowed ranges, since the first rule you have being executed is to deny 3074. It overrides the below rules, making your setup redundant… The Xbox needs the port range open to trigger an open nat