Query strings do have uses (such as for searching files and some other kind of dynamic files), but you shouldn't add them to URLs that should not expect them. So, I agree that they would be right to refuse requests with UTM and other stuff added like that.

I think 404 probably makes the most sense as the response if a query string is not expected but is present anyways, although 400 might also be suitable.