This article describes that when using the standard CLI procedure for FlexVM license injection where a FortiGate is part of an HA environment with the dedicated management interface, it can happen that the traffic from the management interface is not routable or does not have internet access which is causing a license activation issue:

execute vm-license XXXXXXXXXXXXXXXXXXXX
This operation will reboot the system !
Do you want to continue? (y/n)y

Requesting FortiCare license token:XXXXXXXXXXXXXXXXXXXX proxy:(null)
dns resolve error
Failed to request forticare license -1.
Failed to download VM license.

Be aware, when setting up the dedicated management interface even without using the 'ha-direct' setting the 'execute vm-license' command would use this interface for DNS resolution and license download:

config system ha
    set ha-mgmt-status enable
        config ha-mgmt-interfaces
            edit 1
                set interface "port1"
            next
        end
    end

There are multiple approaches how to resolve this issue:

1. Add the gateway to 'ha-mgmt-interfaces' setting + make sure the routing from the HA management interface can access the FortiGuard network + run the 'exec vm-license <token>' command.
2. Remove the 'ha-mgmt-interfaces' setting + run the 'exec vm-license <token>' command.
3. Use other license injection methods: Injecting the Flex-VM license
4. Add NAT gateway on Cloud Provider.

Note : 

This also applies to any FortiGate VMs in AWS, Azure, etc. Even though the license is showing valid in GUI when the 'exec vm-license <token>' command is executed, it gives the same error as listed above. In such cases, it is necessary to remove the 'ha-mgmt-interfaces' settings and execute that command again.