IPv6 IP address leak using policy-based routing

ULA.

I'm wondering if the single /128 IPv6 address is the problem and that's forcing LAN clients over my ISP's IPv6 connection rather than through the VPN tunnel. That-being-the-case, something like Unable to get IPv6 to work with Mullvad VPN WireGuard should work; but it doesn't (quite possibly because I've screwed something up along the way).