Block the DNS lookups (return NX or something like 127.0.0.1) for epdg.epc.mnc260mcc310.pub.3gppnetwork.org and epdg.epc.mnc120.mcc310.pub.3gppnetwork.org and epdg.epc.mnc530.mcc312.pub.3gppnetwork.org
And/or block UDP outbound to 18.104.22.168/16 port 4500. You could probably just block all outbound to that subnet, but if you want to be sure it just blocks wifi calling, also restrict to that UDP port.
The latter is probably preferred, but the DNS block should work if you don't have the ability to set outbound firewall rules on your router.
Regarding the handoffs, that has always worked reliably for me. But you might have to make sure that "always on mobile data" is enabled under developer options.
Yes, I've seen that scam shield rarely works for me as well. I'm on TNX so I don't have call screener app anymore just the reported "superior" scam shield, but it doesn't seem to work very well. I get scam texts and calls quite a bit.