>Site 2 needs to go across the VPN to Site 1, and then across the VPN tunnel to HQ. This is our issue.
Non-Meraki VPN traffic is not allowed to traverse AutoVPN.
However, with some creativity, it can still be done. You'll need an extra MX in its own network, not part of AutoVPN. It should be plugged into the same LAN as an existing AutoVPN hub.
Build the site to site VPN to this additional standalone MX. Create a static route pointing to your AutoVPN hub for all your remote subnets.
On your AutoVPN hub create a static route pointing to the standalone MX for the remote VPN subnet. Redistribute this static route into AutoVPN.