After digging around a bit, I found this thread: Prevent cross-talk
Applying the following to the containers I want to isolate is exactly what I need:
devices:
eth0:
nictype: bridged
parent: wan0
type: nic
+ security.port_isolation: "true"
The host bridge, Incus and pfSense themselves were configured correctly.