This is how the firewall page looks after they have made the additional change to allow inbound connections:
As you can see the "inbound rules" default rule is "allow any". It has been changed from a stateful firewall to just a firewall.
It sounds like you have the "incorrect" partial configuration that I had (and managed to get resolved) when I initially asked to be included in the NO-NAT beta. It's a very new feature and it's clear that not all meraki case support are experienced with setting it up yet.
I'd ask the meraki support person you are talking with to check their internal NO-NAT documentation which one of the people I was dealing with confirmed has been updated to include instructions on how to do disable the inbound firewall too.
Apparently, they have to apply this change to the serial number of the device rather than the network at the moment (which is odd, as it appears as a difference in the network firewall user interface).
It's very strange that they have separated the two features as the vast majority of people disabling outbound NAT are also going to want to be able to connect to devices behind the LAN interfaces from some place upstream on a WAN link. Strictly speaking, a true L3 router should have no WAN/LAN distinction.
I've not tested out the VLAN based exceptions yet although they are present in the UI so I had assumed they will work.
I have been seeing an issue where I can't ping any of the the LAN interfaces of the meraki from any place upstream of it (ICMP is allowed from any remote IP as you can see). However, I can access the client devices in my meraki created vlans from the upstream router (and our other locations) so it's working for us.