I'll limit my references to IPv4 (IPv6 or ARP are also affected, but IPv6 isn't used by OP and no default firewall for ARP exists).

Docker relies on and loads the kernel module br_netfilter for proper control of container isolation, even between two containers in the same LAN.

This makes Netfilter call IPv4 hooks for bridged frames of type IPv4. While this is documented for iptables, nftables uses the same Netfilter API and its IPv4 hooks (thus family ip for pure IPv4 and family inet for hybrid IPv4+IPv6) are affected the same. The result is described with this schematic:

With br_netfilter loaded, iptables and nftables IPv4 components (small green boxes) normally used in the IPv4 network layer (green boxes in green field) are also used for the bridging link layer case (green boxes in blue field).

So a bridged frame becomes firewalled by iptables's filter/FORWARD chain. And OP did something that's normally not needed (without br_netfilter bridged frames never traverse iptables' filter/FORWARD):

sudo iptables -A FORWARD -i br0 -j ACCEPT 

This allows to bypass the default DROP policy installed by Docker in the FORWARD chain and which now applies to bridged frames. Actually when Docker is around, this rule should be added to the DOCKER-USER chain instead.

But it's also firewalled by any additional hook doing the same: here pure nftables installed by Firewalld, using the inet firewalld table. This part rejects the bridged packets:

table inet firewalld { ... chain filter_FORWARD { type filter hook forward priority filter + 10; policy accept; ... reject with icmpx admin-prohibited } 

In the end the packet is accepted in the first (iptables) forward hook, but gets rejected in the second (Firewalld's nftables) forward hook.

Here, if this version of Firewalld allows such change, simply doing (in addition to OP's iptables command) this as root user, using nftables:

nft insert rule inet firewalld filter_FORWARD iifname br0 oifname br0 accept 

will also allow the frame in this second hook until the rule gets overwritten. Modern versions of Firewalld and kernel might even prevent this rule to be added: the setup should be added in Firewalld's own configuration.

Testing on a Fedora 37 container whith Firewalld changed to OP's settings (and module br_netfilter loaded on host), here's how to get Firewalld to add a forward accept rule for the br0 interface and the ping working:

firewall-cmd --zone=FedoraWorkstation --remove-interface=br0 firewall-cmd --zone=FedoraWorkstation --remove-interface=br0 --permanent firewall-cmd --zone=trusted --add-interface=br0 firewall-cmd --zone=trusted --add-interface=br0 --permanent 

Probably some custom zone with adequate security rules should be used instead.

Some Stack Exchange links where I made answers to related Docker issues:

1 2 3 4