After RTFM I was able to stop the Intel i40en driver from disabling trusted mode on the virtual functions on every reboot, but that didn't resolve the error message. The good news is now the firewall doesn't come up from a boot in a broken state every time, but this confirms the AQ returned error VIRTCHNL_ERR_PARAM to our request CONFIG_RSS_KEY! error is unrelated to the i40en driver's handling of trusted mode.
Anyone else have any brilliant ideas for what could be causing the error message?
Anyone have any guess as to whether it can safely be ignored? It doesn't stop pfSense from passing traffic on the NIC so it seems to "work," but God forbid it's creating some sort of security vulnerability!