It's difficult to comment directly on your design based only on a topology but I'll try to answer your questions.
1. You can use either the MS410 or the Forti as your vlan gateways. It really depends on how much inter-vlan traffic you have, and how much security you want to place between them.
Running all traffic through the Forti will provide better security options but may limit your inter-vlan throughput compared to the switch.
2. Yes, NAT for all network traffic would be performed on the Forti. The management network gateway for the MS350 and AP can be on the MS410 or the Forti (see above) but the management IP for the MS410 must have the gateway of the Forti.
Personally (assuming a small to medium sized office with SaaS workloads), I would probably use the Forti as the VLAN gateways for both data and MGMT traffic.