I'm starting this post just to ensure that there are no gotchas etc with the following:

A large multi-regional MX based network with some sites provisioned with a single Internet connection, while other more critical site have two. Only Internet circuits will be used to create a corporate WAN, regional data centres having MX HA pairs acting as the VPN hubs.

All traffic will be routed to the regional hub / data centre sites where Internet connectivity is managed via a Palo Alto service the client insists on using i.e. no local Internet breakout / split tunnelling is permitted

The ISP is providing "service levels" in respect to latency and QoS over the Internet connections. Traffic levels are not expected to be particularly high, hence MX65, MX100 will be used for the spoke sites with MX250 and above for the regional data centres.

Are there any known issues with mixing SD WAN spoke ( where multiple ISP connections exist) and auto VPN branch offices (singe ISP) connection configurations, as SD WAN sits on top of auto VPN I was assuming not?

Is is still best to deploy the spoke sites in NAT mode and the DC VPN hub in passthrough, if there is a relevant CVD or case study, apologies I have missed this!