We've accomplished this by ensuring that the SD-WAN BGP/Interface templates (and VPN's therein) are aligned to support the number of VRFs/VNs that you currently maintain in your SDA deployment for border handoff. It works without issue and allows SGT propagation across the WAN.
We took a phased approach by executing a duplicative peering for underlay/overlay into the same VPN initially before working in our phase 2 design to establish a separate/true VPN for INFRA. We did this because you need to consider the fact that you need more than just access to DNA in the underlay, and need other shared services such as DHCP for your wireless access points and fabric extended nodes if applicable. Our phase 3 approach will include yet another SD-WAN VPN for Guest Shared Services (DNS/DHCP).
You could most certainly setup all of that at once but we felt more comfortable in a crawl, walk, run approach... and the duplicative BGP peering into the same VPN helped our NetOps team get more familiarized supporting SDA at scale/remotely without making a lot of other changes in the shared services/fusion/WAN layers.