Note this is not specific to Whonix and could be interpreted as Linux host running libvirt, This is already discoverable and hard to hide the type of OS running on a network because of the different ways they react.
Binding to localhost would break it because the whole point is to have it listening on whatever arbitrary internal LAN IP ranges libvirt binds it to on the fly. OP can go ahead and try to uninstall it and deal with the fallout, but as a default option this is unworkable.
Does ufwall change nmap results? or is it using raw ports?