You could use routing with metrics to accomplish that. You could, for instance, use BGP with local preferences to have routes over both fabrics with the preferred method having the higher local.
We are using Zscaler as well. We route to primary and backup GRE tunnels, then use a bypass filter for our services that need to bypass Zscaler and come from a static source address. So the basic statement on the vEdges is:ip gre-route 0.0.0.0/0 vpn ...
