For the MX to include IP addresses in its encryption domain it has to have them as either directly connected layer 3 interfaces or static routes.
In your case they would have to be static routes - for the two web sites you want to be accessible.
However you can not add a static route via a WAN interface. Consequently you can add them into the MX encryption domain. Consequently you wont be able to build an SA with the MX that includes those two public IP addresses on its side.
I can not think of way you will be able to get this to work using only the kit mentioned.
You would need a proxy server or something similar at the MX site to make this work. A trip I have used in the past is using the TCP port forward option in Windows server. You configure a server at the MX site to forward a port from its LAN IP address to the remote web site. Then create a hosts entry on your clients machine pointing at that server.
The other option is to use the "Meraki" VPN client where it is doing a full tunnel.