IPv6 & XBOX One

Double K

Hello IPv6 gurus!

I've been running pfSense for a number of years on a multi-VLAN home network, sharing a single IPv4 behind NAT with multiple XBOXs.  Everything worked great, except the ability to play against each other in multiplayer in the same house.
Thus, I was excited to finally get an IPv6-capable cable modem that would enable me to connect each XBOX One to its own IPv6 address to enable in-home multiplayer.  However, I can't seem to figure out how to properly setup pfSense to do this (I've got part of the way successful)
Let me clarify that I am enabling one VLAN for IPv6 support - all the other VLANs are IPv4.  Multiple reasons for this - including the fact that my provider, Rogers, only provides a single /64 at this time.

My Setup;
Version 2.3.2-RELEASE-p1 (amd64)

Interface: WAN
    General Configuration
          IPv4 Configuration Type: DHCP
          IPv6 Configuration Type: DHCP6
    DHCP6 Client Configuration
          DHCPv6 Prefix Delegation size: 64
    Reserved Networks
          Block Private networks & loopback addresses: checked/enabled
          Block bogon networks: checked/enabled

Interface: VLAN620
    General Configuration
          IPv4 Configuration Type: None  Note: this is a Pure IPv6 VLAN
          IPv6 Configuration Type: Track Interface
    Track IPv6 Interface
          IPv6 Interface: WAN
          IPv6 Prefix ID: 0
    Reserved Networks
          Block Private networks & loopback addresses: blank/not enabled
          Block bogon networks: blank/not enabled

System / Routing / Gateways
    I created a Gateway for Interface: WAN, Address Family: IPv6, Name: WAN_IPv6, Gateway: dynamic

From this configuration, I have success in getting IPv6 Addresses on my interfaces;
Status: Interfaces
    WAN Interface
          MAC Address 10:34:56:78:90:ab
          IPv6 Link Local: fe80:56ff:fe78:90ab
          IPv6 Address: 2607:f798:a1b2:c3d4:1a2b:3c4d:5e6f:0987
          Subnet mask IPv6: 128
          Gateway IPv6: fe80::321:654:9cba:fed8
          DNS Servers:
              2607:f798:18:10:0:640:7125:5204
              2607:f798:18:10:0:640:7125:5198

VLAN620
          MAC Address 10:34:56:78:90:ab
          IPv6 Link Local: fe80::1:1%em0_vlan620
          IPv6 Address: 2607:fea8:f98e:d76c:1234:56ff:fe78:90ab

Now, to get clients an IP address on VLAN620, and enable them to talk to a DNS server, I've configured the DHCPv6 Server & RA for VLAN 620;
DHCPv6 Server
    DHCPv6 Server: checked/enabled
    Subnet: Prefix Delegation Note: this is automatic from Interface config
    Subnet Mask: 64 bits Note: this is automatic
    Range: ::aaaa:bbbb:cccc:ddd0 to ::aaaa:bbbb:cccc:dddf Note: had to enter something to enable DHCPv6 server
    Prefix Delegation Range: blank
    Prefix Delegation Size: 48
    DNS Servers: 2001:4860:4860::8888 and 2001:4860:4860::8844
    Rest of page is blank/default

Router Advertisements
    Router mode: Stateless DHCP Note: this uses SLAAC to generate the IPv6 address of the client, and provides the DNS servers from the DHCPv6 server config
    Rest of page is blank/default

Firewall rule for VLAN 620 is Allow IPv6 Any from Any to Any through the WAN_IPv6 Gateway.  Firewall System log reports this success for tracking.
When I connect my W7 PC to VLAN 620, I get a SLAAC IPv6 address with the DHCP assigned DNS, can ping google.com (so DNS works), and test-ipv6.com shows 10/10 (and identifies it as a pure IPv6 network with no IPv4 - "that's bold" it said).
When I connect the XB1, I get a SLAAC IPv6 address (per Firewall System Logs & Packet Capture, as the Network Settings screen shows a 169. IPv4).  Firewall System Logs & Packet Capture shows the XB1 querying the Google DNS on IP6, and Packet Capture shows the Google DNS responding.  And it shows the XB1 trying to negotiate a connection with an IPv6 address on port 443.  But nothing else - it just won't connect.

Anyone else got XBOX One working on a pure IPv6 connection?