What you want to achieve - DIA (Direct Internet Access) is achievable through
a) having a public access transport interface at your branch Edge router (SD-WAN Edge)
b) a Data Policy to direct traffic to the internet exit.
In other words, SD-WAN cEdge/vEdge router will transmit everything through TLOCs except if a data policy says the other way around and get it through DIA.
In your use-case, you should configure Data Policy to only direct O365 application traffic to DIA and as a result, same use that is generating O365 traffic doesn't have further direct access to the internet but through TLOCs. At the other hand, your overlay network at the branch side won't be open/reachable through public internet space neither.
Have a look in below URL on how this works:
https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_16.3/07Policy_Applications/04Using_a_vEdge_Router_as_a_NAT_Device/Configuring_Local_Internet_Exit