A bit of an old post
HCX deploys several appliances with a private address range list local to the appliance. NSXV is unable to see these IPs and as such is unable to apply firewall rules which you have created using tags or groups. To get around this you have to use IP sets. With the later versions of HCX, i have noticed that after an upgrade the HCX appliances now appear in the global exclusion list of NSX.
This is as it is intended and after many NSX V engineer meetings and HCX engineers looking this is just how it is...