This issue was caused by my firewall and due to complexity between multiple user profiles.
I was able to fix all issues by entirely disabling the firewall setup by the afwall app.
However, as a slightly better option, I was able to fix this issue as follows:
As the 'Owner' profile, enable Airplane mode. Make sure WiFi and Mobile Data are off if you want to use the phone's own internal DHCP server. Then enable Hotspot
In the user's account where afwall is configured, check the box to give "wifi" access to the row named (any app) - Same as selecting all apps - !! WARNING !!
Note: I did try to isolate the wifi permissions to a single app, but I found that if every app's "wifi" setting was enabled (except the entry for (any app) of course), then it wouldn't work. But if the "wifi" setting was enabled for the (any app) row, then it worked.
So it appears that there is, in fact, a distinction between selecting all apps or selecting the (any app) entry. My guess is this distinction is most relevant when using multiple user profiles.
On another handset, I was able to resolve this issue and get an IP address when only enabling the "wifi" permission for the (root) - Apps running as root entry (as opposed to the (any app) entry). YMMV device-to-device, version-to-version, ROM-to-ROM.