Still need a default route toward ISP3 since the IP changes. How about a static default route to ISP3 with high number (lower) priority? That would make the local FGT respond to the remote end when the remote initiates the session. You might need to change the IPSec to aggressive (IKEv1) or dynamic (IKEv2) for the local FGT not to intitiate itself because it would go out via SD-WAN side. But it would be ignored on the remote end if the remote has "static" IPSec.
For 2. why do you have to set a separate policy for the VPN traffic to ISP3? You have a set of policies for VPN toward SD-WAN but it would never apply to the traffic to ISP1&2 because the matching traffic never go to the direction based on the SD-WAN rules for the VPN.