I'm a bit confuse on per-machine VPN and <machine> tag on FortiClient configuration. Let me explain a bit what I will do.
I will auto-connect a VPN before logon (and keep it active) when I'm off-fabric (test on pinging an on-fabric device). I set a couple of options and as I can see my VPN auto-connect correctly before logon without the tag <machine> enabled.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.