As Connor suggested - use packet capture to understand what's going on, first. My experience is that, in many CG-NAT cases, you can work around by reconfiguring your VPN Hubs to use Manual NAT traversal.
Security & SD-WAN > Configure > Site-to-site VPN change from NAT traversal = Automatic to Manual : port forwarding,
Specify a particular public IP and associated UDP port number for the VPN service to reside on. The upstream firewall, behind which the Hub NATs, will need to be configured to match (to forward this traffic to the MX by its real IP, port unchanged). I’d recommend choosing a port between 1025 and 32768, but avoiding 4500.
I'm not from your country ... find out what APNs O2 offers. Many carriers (at least all the ones in my country) have a different APN you can use which is not firewalled and allows you to get an actual public IP address.