In this scenario, a VIP configuration for internal servers is used.

A policy (test1) with source as specific countries and destination as VIPs configured to block traffic from specific countries to the server for which VIP is configured.

Now all traffic coming from a blocked country will hit the VIP policy first and get blocked.
If on a firmware version lower than 7.2.3, the CLI option 'match-vip' is required on this deny policy.

See this article for more info: Troubleshooting Tip: VIP traffic not matching the firewall policy with an 'all' destination.

If creating a policy (test2) for a specific source and destination is the IP address of the server, the traffic will still hit the VIP policy and will get blocked.

If there is a requirement to allow traffic from a client in the blocked county list to access the VIP servers, a policy (test3) has to be created with the source as the required IP, and the destination as the VIP server IP.

It should be placed above the block policy.

Note:
There are possibilities where some IPs are registered by a country and FortiGuard might show a different country.

It is possible to run 'diagnose geoip ip2country x.x.x.x' to verify this, where x.x.x.x is the Public IP.
In such scenarios, it is possible to override the Geo-IP database. See these articles for more info:
Technical Tip: How to override Geo-IP database
Technical Tip: Commands to verify GeoIP information and troubleshoot GeoIP database