I have it configured and routing specific traffic (to single destination IP) through the backup link but only see hits on the primary NAT/link.  0 hits on the secondary inbound ACL but hits on both NAT rules.

1 (inside) to (outside-primary) source static private-xx.xx.xx.xx public-99.99.99.99
translate_hits = 8948, untranslate_hits = 9200
2 (inside) to (outside-backup) source static private-xx.xx.xx.xx public-88.88.88.88
translate_hits = 609785, untranslate_hits = 612408

access-list outside-primary_access_in line 2 extended permit object-group DM_INLINE_SERVICE_7 object-group POP object private-xx.xx.xx.xx (hitcnt=8402) 0x16da73bd

access-list outside-backup_access_in line 3 extended permit object-group DM_INLINE_SERVICE_6 object-group POP object -private-xx.xx.xx.xx (hitcnt=0) 0x3cb83258

Can you post the result from packet-tracer to a destination that should be reachable via the backup connection ?

packet-tracer input inside tcp <inside-ip> 1024 <outside-backup-ip> <allowed-port>

fw1# packet-tracer input inside tcp 192.168.9.9 1024 99.99.99.99 4500

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 99.99.99.99 using egress ifc  outside-backup

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object test-private-192.168.9.9 any
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside-backup) source static test-private-192.168.9.9 test-public-99.99.99.99
Additional Information:
Static translate 192.168.9.9/1024 to 99.99.99.99/1024

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside-backup) source static test-private-192.168.9.9 test-public-99.99.99.99
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside-backup
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

Never seen 'slowpath security checks failed' before.  

Sorry for the late reply.

I believe you are getting sp-security-failed, because the destination IP 99.99.99.99 in packet-tracer is configured on the outside-backup interface.

You should try using a different IP in the packet-tracer, for instance to use the backup isp for traffic destined to 8.8.8.8 , you would need the following route added (nat and acl are already in place and seem to be ok):

route outside-backup 8.8.8.8 255.255.255.255 <backup-isp-gateway>

packet-tracer should then look something like:

packet-tracer input inside icmp 192.168.9.9 8 0  8.8.8.8

route-map PAN permit 10
 match ip address PAN-ACL
 set ip next-hop 10.192.2.3


fw1# packet-tracer input inside icmp 192.168.9.9 8 0 14.140.218.99

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 182.72.16.99 using egress ifc  outside-backup

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip object test-private-192.168.9.9 any
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside-backup) source static test-private-192.168.9.9 test-public-99.99.99.99
Additional Information:
Static translate 192.168.9.9/0 to 99.99.99.99/0

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside-backup) source static test-private-192.168.9.9 test-public-99.99.99.99
Additional Information:

Phase: 11
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 58314530, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside-backup
output-status: up
output-line-status: up
Action: allow

Packet-tracer seems ok now. The packet is redirected to the outside-backup interface and it is being nated to 99.99.99.99.

I am not sure I understand what's with the 10.192.2.3 next hop, but the packet tracer shows the next hop as 182.72.16.99 .

Another test you could do is set up a capture.

capture CAP interface outside-backup match icmp host 99.99.99.99 any

ping an IP routed to the outside backup that responds to ping

show capture CAP

check if packets are sent out and if responses are coming back