When the source address is defined as e.g. 10.123.1.4/30 the first address in the subnet 10.123.1.4 is reported to be still blocked despite being in the allow list.

Update:
The issue seems to arise from the inclusion of two subnets right next to each other, eg. 10.123.1.4/30 and 10.123.1.8/30. Singular subnets or multiple subnets that are not adjacent in a single rule work fine. This seems to be a quirk of the nftables subsystem. One solution would be to merge the adjacent subnets into a single address range, just like the nft CLI tool does it.