I recently deployed a full Meraki suite to one of our office. This includes MX84, MS120 switches, and MR42 AP's. The clients in the office operate solely on wireless.
One of our associates has to VPN into a client network, and from there(receiving a NAT'd address on the clients network) jump into their AWS platform to perform work. Since the deployment, the employee can no longer access the AWS side after successful VPN into the client network.
We have tested that it is related to the Meraki network by using a tether off of a cell phone as well as a MiFi device. Both optional choices allowed proper functionality. I could use some help as I feel like I have configured a rule somewhere mistakenly or a default rule is blocking,but I cannot seem to find it.
From the results you posted it appears that your packet jump directly to the Internet after hitting your default gateway. Assuming that you had the VPN connection up when you ran the traceroute, I would say that your VPN connection/client does not know about the subnet that you are trying to reach. I would expect to see all private IP's in route to the AWS app that you mentioned. I would start with validating the VPN connection properties.
Meraki really dislikes ESP and UDP port 500 outbound (from a device behind the MX). It may be worth running a quick Packet capture on the MX LAN, and Internet, just to see if traffic is traversing the Firewall.
I have a sneaking suspicion that you won't see the traffic going from LAN - WAN and the traffic is using port 500.