Cloud FW controls not applying to ZApp connections from a defined network location?

Has anyone run into this? All our machines have ZApp installed, they connect from defined locations (i.e. NOT road warrior) and the location has FW enabled, however the FW rules are apparently completely being ignored. These machines connect using Tunnel 2.0 (I’ve tried both TLS and DTLS flavors) As an aside I also maintain IPSec tunnels for a different internal network location to the ZIA edge.

For example I have a rule defined to block TCP/4099 outbound. On machines riding the IPSec tunnel to ZIA I go to portquiz and test 4099, sure enough the traffic is blocked. An endpoint machine, in a different subnet defined as a different network location, I try the same test and get right out via TCP/4099. I’ve tried numerous other ports and the behavior stays the same. For my machines with ZApp installed the FW only seems to apply when the machines are in the ‘road warriors’ location.

I’ve done the whole packet capture thing and the outbound traffic IS being tunneled through to ZIA, its just not being filtered.