Creating a "Deny but Poke Holes" Set of Policies

I own a Fortigate 60F. I'm a contract worker, operating from home. The company I'm working with demands that I'm behind a firewall which is set to reject ALL TRAFFIC except only needed services and web sites, just so there is maximum rejection of anything from the outside. I have also purchased the package which has IPS so that I'm in compliance, as they are most concerned with asset egress. It's Draconian, I know.

My question is, what is the most efficient way to configure for this, using the fewest policies? To simplify, let's assume I need the following 3 "essential" things:

1. The company's Okta site, we'll call it "company.okta.com"

2. Ability to sync with the Dropbox service

3. An Apple file server, let's call it "afp://server.company.com

For example, I can't tell whether using the Web Filtering is better than an individual policies which specify FQDNs, etc.

Is it best to create a policy just specifying Dropbox's "Internet Service" services? Or some other method?

Thank you