if possibile i would disable split-tunneling to force routing of all vpn traffic to the office, so it could be forwarded correctly to AWS services without the need to reconfigure all vpn routes client-side
Or, If you need access to Webservices only, you could make use of a Web proxy with a smart proxy.pac script that the VPN clients should use. The script could manage the access a smart way: AWS access through the Web proxy using the IP address of branch office and the rest on the direct way.
It is easy to use script and fortigate api to create huge address. if you cannot code, you can try nimble, (https://nimbletext.com/live), you can use list and template to create huge amount address, policy,etc. apply it via firewall script, it is also efficient.