Hi @tobin_jim
Technically, I guess it should work. The only pain point I see is the static path assignment in the EPG. Basically the traffic should be configured as untagged/native, because everything after the MAC header is encrypted.
Alternatively, what you can do is MACSEC between C9300 and Leaf1, MACSEC between Leafs and Spines, and MACSEC between Spine and IPN routers.
Stay safe,
Sergiu