I am in the process of doing a deployment where there are existing cloud-based applications that utilize source IP Address lists for security. With the current model, all outbound network traffic goes through a single hub location who's IP address is whitelisted within the application. The plan is to alter this so that each site has direct internet access.
I'm not aware of any way to force specific internet bound traffic across the S2S tunnel. Has anyone had to implement a workaround for this kind of scenario in the field?
Can you get a static IP address for each spoke - that might be the easiest option.
Otherwise as @ww says, you basically have to use two MX in HQ. One in VPN concentrator mode. On that MX network you can add a static route to your Internet gateway (another MX in a different network) and then say to include that in AutoVPN.