Dynamic routing with Azure VPN Gateway and with inspection by NVA

I’m searching for possibility to implement a topology like this:

Spoke VNETs <====> NVA, for instance FortiGate <=====> VPN Gateway <=====> on-premises

To implement this with static routing is pretty straightforward, but has irritating limitations:

• If I place the NVA and the VPN Gateway in the same HUB-VNET, while enabling the Enable Spoke-VNET to use HUB-VNET's remote gateway or route server option – then narrow on-premises prefixes learned from VPN Gateway will override more generic prefixes in Spoke-VNET UDRs, which steer traffic towards on-premises to the NVA for inspection. I’ll need to override each one of them in the UDRs, which is not practical.

• If I place them in the same HUB-VNET without enabling this option, or if I place the VPN Gateway in a VNET not peered directly with Spokes – then the VPN Gateway won’t know IP ranges of Spoke VNETs. It still will deliver traffic for them to the NVA by means of a UDR applied to its GatewaySubnet – but if the VPN Gateway will learn some prefix overlapping with Spoke VNET’s prefix from one of its BGP-over-IPsec peers – it will send the traffic there instead of delivering it to the NVA, and communication will fail.

Example:

• UDR of GatewaySubnet says “deliver traffic to 10.0.0.0.0/0 via NVA“.
• The Spoke VNET’s range is 10.11.12.0/24.
  If the VPN Gateway doesn’t learn it automatically from the SDN, while learning a prefix 10.11.0.0/16 from some its BGP peer – then traffic to 10.11.12.0/24 will be sent to this peer instead of the Spoke.

I’m looking for solution that would:

1. Allow Spoke VNETs to deliver traffic to the NVA – without me having to override by UDRs each narrow prefix injected to them by the VPN Gateway.

2. Allow the VPN Gateway to learn automatically prefixes of Spoke VNETs – while still delivering traffic to them via the NVA.

Is such this possible? With Azure Route Server or without?

Thanks!
Mucius.