Are you pinging the interface IP of the MX itself? That might still work due to the process flow. But if the source and destination of the pings are other devices beyond the MX interface itself, I'd open a support case to assist with a packet walk since it should be blocked, and of course make sure there's not some other alternate path apart from the MX itself to get between VLANs. Also confirm first, via packet capture on the LAN side of the MX, that you are in fact seeing the ICMP traffic ingress and egress. Also, as a test, create 2 permit statements for the same traffic and place them higher in the list and see if their hit counters increase, then remove them and test again to confirm they're skipping the deny statements somehow.