Application access works as expected when connected off-net, and the issue is observed when the user is detected as on-net.
Disconnecting from FortiSASE while on-net will restore the application access.
For initial troubleshooting, test an open policy for one test user without any security profiles to isolate issues related to security profiles.

Validate the Tracert and route print outputs to confirm traffic is routed via the physical gateway. Access will still fail even though the packet shows as 'routed' via the physical gateway.
An application bypassed with IP/FQDN will commonly encounter this issue.

Navigate to Configuration -> Endpoints -> Profiles and edit the Profile assigned to user.
Verify the destination is bypassed.

In this case, the bypass is added as an IP.

A bypass using the IP for the application will not work in certain scenarios where dependent destinations still route through FortiSASE.

The executable file has to be added so that the dependent destinations will also be bypassed from FortiSASE.
It is recommended to identify the executable name by checking the process running from Resource Monitor -> Network.

The executable file location can also be identified with Task Manager. The main '.exe' file has to be matched.

When possible, add the full directory path to ensure the application will work without any issues.