In your scenario, If you've both Primary and Backup links in the same Zone, then you'll have issues as with a single zone you can only create a single policy for source and destination so 64 NAT will be either enabled or disabled.
for pointing out a way to circumvent the limitation. Wouldn't it also be possible to create a separate VDOM just for the backup link that takes care of the additional, link-specific treatments and the use the corresponding vdom-link in the SD-WAN zone?
But I think I'm on the wrong track with the NAT64 anyway. As the clients are dual-stacked they can perfectly reach IPv4 through the backup link using their IPv4 addresses. So NAT64/DNS64 is not what is needed. An IPv6-tunnelbroker might be the right solution.
Any people out there that have this scenario working with IPv4/IPv6 on the primary link, ipv4-only on the backup link and dual-stack clients that use GUAs from the primary link?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.