yes like that

That's because Azure advertises the same routes from both sides while your FGT picks one side of BGP routes and put it into RIB. You need to enable ECMP for eBGP (ASNs are different between Azure and the FGT) like below:

config router bgp
     set ebgp-multipath enable
end

Then you should have the same route to two neighbors in RIB like below:
B 10.1.x.0/24 [20/0] via 10.y.y.4 (recursive via xxxAzure2 tunnel x.x.x.x), 2d21h21m, [1/0]
                      [20/0] via 10.y.y.5 (recursive via xxxAzure1 tunnel x.x.x.x), 2d21h21m, [1/0]
We've learned this when we set up similar for our customer's Azure.

Toshi

No, this is incorrect for the return traffic via peer2.

You need to check why the return traffic was not via peer1 with the Azure team.

As a workaround, you may enable asymmetric routing on FGT:

config system settings
     set asymroute enable

end

If you have VDOM enabled, the configuration is VDOM based.

Without a proper route in RIB back to the incoming interface, FGTs would just drop the incoming packets by "reverse path check fail".

@HS08Since it's not working now, it wouldn't hurt you just try it and tell us the outcome. You can simply remove it if it didn't work

Toshi

No, "reverse path check fail" is for initial traffic only, not for return traffic.  When the return traffic is incoming, since it is not a syn packet, FGT will look for the session table if the asymmetric setting is not enabled.

Then, since the initial traffic is out via peer1, FGT will drop the return traffic due to "no session matched", not "reverse path check fail".