That depends... who is initiating (read: establishing) the connection? FW4 is stateful, so if your Home Assistant (FWIW, I also have and use Home Assistant in my home) initiates a connection to one of your IoT devices, then all you need is to allow your "LAN" zone in FW4 to forward to IoT zone. Then no firewall rules are needed for your HA box to establish a connection to an IoT device. The IoT device is then allowed to talk back to HA because of the statefulness of that existing connection. Again, directionality absolutely matters here, as in any stateful firewall.
You would likely want to disallow your IoT zone from forwarding to your "LAN" zone--that's what gives you the protection of having IoT on a separate subnet/VLAN.
Does that help?
Here's a view of my FW4 config on my x86 router box:
"LAN", guest, IoT are all separate subnets, each on their own VLAN at the L2 level. Guest and IoT are allowed to reach WAN, but not LAN. LAN is free to talk to all other zones.
I should wrap this up by saying that our discussion now is getting way off topic. If you want to continue this firewall/VLAN conversation, there are likely other threads that exist for us to continue there.