By default, port forwarded to a Docker container stays accessible to external clients even if it's forbidden by UFW rules. To deny such access one can disable iptables usage in Docker daemon config file /etc/docker/daemon.json:
{
"iptables": false
}
After restarting the daemon UFW rules will start denying such ports