I think that you need a Secure SD-WAN Plus license.

https://documentation.meraki.com/General_Administration/Licensing/Meraki_MX_Security_and_SD-WAN_Lice...

VPN Full-Tunnel Exclusion (Application and IP/URL Based Local Internet Breakout)

Overview

VPN full-tunnel exclusion is a feature on the MX and Z Series devices whereby the administrator can configure layer-3 (and some layer-7) rules to determine exceptions to a full-tunnel VPN configuration. This feature is also known as Local Internet Breakout in the industry. The feature applies to both AutoVPN and Non-Meraki VPN (NMVPN) connections.

When configuring a VPN spoke, the administrator can choose what client traffic is sent to the hub: either only traffic destined for subnets that are part of the VPN or all traffic that does not have a more specific route than the default route. This choice is made in Dashboard by checking the Default Route box for the desired hub on the Site-to-site VPN configuration page or by having a NMVPN VPN with a default route associated. On the MX-Z, this changes the default route from pointing to the uplink to pointing to the VPN hub or NMVPN peer.

https://documentation.meraki.com/MX/Site-to-site_VPN/VPN_Full-Tunnel_Exclusion_(Application_and_IP%2...)