I was also having the same issue described by OP when setting multiple dhcp-match / dhcp-boot options via uci commands, so I decided to take full control and edit /etc/dnsmasq.conf directly (see https://openwrt.org/docs/guide-user/base-system/dhcp.dnsmasq#etcdnsmasqconf)
I ended up adding this uncomplicated block in there:
###################################
# TFTP Server custom configutation
####################################
enable-tftp
#tftp-root=/root/tftp
# Set tags based on client arch
dhcp-match=set:bios,option:client-arch,0
#dhcp-match=set:efi-i32,option:client-arch,2
#dhcp-match=set:efi-i32,option:client-arch,6
#dhcp-match=set:efi-i64,option:client-arch,7
#dhcp-match=set:efi-i64,option:client-arch,8
#dhcp-match=set:efi-i64,option:client-arch,9
#dhcp-match=set:efi-a32,option:client-arch,10
#dhcp-match=set:efi-a64,option:client-arch,11
# Use kpxe file for legacy bios clients
dhcp-boot=tag:bios,http://boot.netboot.xyz/ipxe/netboot.xyz.kpxe
# Use efi file for anything else (ie: efi clients).
# Notice the negated 'bios' tag
dhcp-boot=tag:!bios,http://boot.netboot.xyz/ipxe/netboot.xyz.efi
That block allows legacy bios clients to boot from http://boot.netboot.xyz/ipxe/netboot.xyz.kpxe and any other non legacy bios clients -UEFI clients basically- to boot from http://boot.netboot.xyz/ipxe/netboot.xyz.efi.
Since the boot files are pulled from the netboot.xyz project via http, I didn't even need to set the tftp-root setting in my dnsmasq.conf.
You can definitely have more fine grained control on which dhcp-boot files get assigned to which client arch tags. In my example above I'm only using the bios tag and its negated form !bios to discriminate, but you could uncomment the other dhcp-match entries and add new dhcp-boot lines to suit your needs.
Please note that if you configure TFTP settings via /etc/dnsmasq.conf then make sure you disable the TFTP settings in LUCI (or its underlying config file /etc/config/dhcp) so there's no conflict between them.
Finally to apply the changes, run:
/etc/init.d/dnsmasq restart