I am in desperate need of some help

Goal:
We want all "Lab Devices" on our Vlan6 to be explicit deny ALL rule to not let any traffic IN or OUT unless specified. Any device found on VLAN6 should be a "Lab Device." (Meraki Default rule is Any Any Allow for Group Policy) We will need to whitelist some HTTPS addresses in order for certain things to work on this network like Azure AD login and other things.

Background: We currently have a group policy thats applied to VLAN 6. (Group Policy takes precedent over any Firewall Policy. ) Group Policies are applied in two ways. First it checks the Layer Three Rules. If there is a match it will stop processing future rules. If no rules match it will eventually hit the DENY any any rule. And basically will never hit the Default Any Any Allow created for Group Policy.

Then the layer 7 Rules will be hit.
We say in this rule deny all web traffic (Appended) unless specifically specified in the whitelist.

This also seems to be what is recommended as well but does not work in practice due to the issue below. Layer 3 Rules (Can Provide Picture) Layer7 Rule (Can Provide Picture)

Issues:
Because we need DNS traffic port 53 and HTTPS Traffic port 443 in the Layer 3 Rules. Its finding a match for the DNS Rule rule and then failing to process any other rule in the list (This is whats expected apparently in the document "Using Layer 3 Firewall Rules") This results in us being able to see the DNS name but not actually browse to the site, We attempted to correct this by specifying the port 53 and 443 within the same rule entry but Meraki will not allow us to save when its formatted like this. In Meraki policies, its my understanding that once a Rule is met it will stop processing further rules.