What is the best solution here?

block the prefix just like when you blocked single addresses.

Won't this block an enormous range of IPv6 addresses?

Yes it would. But from a blocking-the-offender perspective, it would be equivalent to blocking the offending IPv4 address.

In v4, you block the offending address and you block all the NATed devices behind that v4 address.

In v6, you block the offending prefix and you block all the (non-NATed) devices behind that prefix.

In both cases you block an individual compromised subscriber, no matter whether only a subset of their devices are compromised.

An IPv6 /64 allocation is the smallest possible allocation, i.e. to a single end user.

No, it's a single network segment, not an end user. There unfortunately is quite a number of providers who seem to think that it should be, but that's braindead, exactly because it allows for only one network segment (if you want to use autoconfiguration), while the address space is intentionally so large as to not restrict people to specific network architectures and also to avoid any administrative overhead for allocation of additional addresses - the original assumption was that every "end site" (that is, a customer of an ISP) gets a /48 by default, unless they show that they do indeed need more (which would be a very rare exception).

I meant that a /64 is a useful size to block, since a /64 is by definition a single physical network.

You will block many more possible addresses, but you'll still only block one subscriber's network(s) which is exactly equivalent to blocking a v4 NATed address - you block all of their LAN, regardless of which individual device is compromised and which one isn't.

Sure it is, but it's still just a single firewall rule. There isn't really any difference for the firewall whether you block a specific address or some network prefix.