If getting a separate prefix is not possible, you can use IPv6 masquerading:
sudo nmcli connection modify LAN_CONNECTION \
ipv6.method shared \
ipv6.addresses 2001:db8::1/64
sudo nmcli connection up LAN_CONNECTION
...
sudo firewall-cmd --permanent --policy=internal-external \
--add-rich-rule="rule family=ipv6 masquerade"
sudo firewall-cmd --reload
See also:
NAT router with 2 interfaces, how to do with firewalld and Centos 9 Stream - #5 by vgaetera
To be clear, your current setup is broken due to using the same IPv6 prefix/route for both upstream and downstream interfaces.