Yes, I picked pfsense since that is what I run but others or just a min install distro should work too.

<LAN> <-> <bridged adapter as WAN > <-> firewall/gateway VM <-> <host-only adapter as LAN > <-> VM

The devil is in the details and it all depends on creating the right rule to only allow gateway traffic.

With the DMZ I think you would need a separate wire which also requires a USB to Ethernet adapter in this case. Regardless pan64 indicated a second wire was not possible.

Yes, you are right, second wire is not a [good] choice. I would probably try this firewall/gateway setup in docker (or in VM?).
For me it looks relatively simple, allow anything to/from router/gateway and deny anything else on the subnet of home network. But correct me if I was wrong.
If nothing works I will also try DMZ, but only as a last chance.

Wait, do you mean that you want the virtual machine exposed to the internet, but with no access to the local network?

Tricky!
Still using manual configuration of a bridged interface: Define a new subnet JUST for the VM. Give it a default route to the gateway, but route the internal subnet it is NOT on the the LO (local) interface at 127.0.0.1. There are other ways, but if you know how to get this working it should suffice.

Actually the subnet of the VM can be a smaller subset (two nodes) of the full internal network. As long as it can ONLY reach itself and the router using that subnet you are golden.

I must say, this is backwards to everything I have seen, and not what I understood you wanted to accomplish. Good luck with it.

This may take a little work on the router to get right, but even without that the routing of the rest of the subnet to an interface nothing exterior can reach should isolate that node from the rest of your internal.