Hi,
1) if you block learning TLOC in one branch for another, they you will never have bfd/ipsec toward that branch from local one. So, all VPN traffic will go to HQ. In general, if you need full mesh design, but filtering spoke to spoke for certain VPN, then you need simple not advertise branch routes toward branches in vsmart. For your case, it is not mandatory actually. Because ,as I understand, you still need branch to branch connectivity but via DC firewall, yes? If yes, then you need to advertise FW (service routes) in that VPN. Then use centralized data policy to send traffic to "FW" that exists in that VPN for certain traffic flows. By this way, you simple override normal routing even Branch_A has routes toward Branch_B. Br_A will send traffic to "FW" that is advertised by HQ devices or in simple words, it will send traffic to HQ. HQ devices will see that traffic should path service "FW" and they will send to FW. After receiving filtered traffic from Firewall node, HQ device will route traffic toward Br_B.
Btw, there is new feature "service insertion tracker" . You can track inserted service node to eliminate any type of black holing, when node is not available.
https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/vedge-20-x/policies-book/service-chaining.html
2) If you need DIA in all sites (branches), then you need simple not advertise routes from one site to another using central control policy in vsmart. Then there is simple solution NA DIA route. In respective VRF just create default route in VPN template and point NAT VPN0. You should have NAT configuration in interface templates of transport interface (internet).
https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-dia-deploy-2020aug.pdf
HTH,
HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.