Every segment in NSX-T, regardless if it is Overlay or VLAN backed has segment profiles attached to it. One of these is the security profile which, among other security features, has DHCP protections to prevent unknow/undesired DHCP servers on the network. This might be preventing the DHCP packets from the VMs reach the DHCP server. Have you taken a look at the segment profiles attached to this segment?
Never thought there would be a firewall rule on the switchport blocking DHCP but sure enough.
For someone else finding this thread:
Advanced Networking & Security > Networking > Switches > Switching Profiles
Select nsx-default-switch-security-vif-profile > Actions > Clone Profile
Uncheck Server Block under DHCP
Then click on Ports and select your DHCP server(s) > Edit > Switching Profiles
Change Switch Security to the new profile you just created
That'll keep DHCP Server blocked for all other servers except the one(s) you want DHCP available from
It is not actually a firewall but common security features available on L2 switches. This control regarding DHCP is like DHCP snooping with trusted interfaces on any common switch.