NAT and pray still leaves you screwed under IPv4 these days - attackers know how to bypass NAT-without-filtering.
(I don't think firewalls are a good solution in general, but I would agree that they might be the least-bad way to handle crappy embedded/IOT-type devices).
The reflector attack in question cannot bypass a NAT setup in any meaningful way. Yes, there are tricks that make some protocols NAT-inspectable. It's not perfect. But as a default behavior it's proven surprisingly strong. Typical IPv6 deployments are significantly less secure, sadly.
On the other hand the main reason we have UPnP at all is to deal with the need to work around NAT - maybe these vulnerable devices simply wouldn't be running a UPnP stack at all under IPv6.
(I don't think firewalls are a good solution in general, but I would agree that they might be the least-bad way to handle crappy embedded/IOT-type devices).