Interesting, there might be a way to do this.
Drop all incoming/outgoing traffic. Make an exception for a local-only subnet range say 192.168
Use MapAddress to assign private addresses in the whitelisted range to the Onion Services you want to permit.
Some steps that can help: