The clients (laptops - no phones per se) use an internal DNS server.
Those internal DNS servers are reachable over a VPN that is established on the branch fortigate.
The reason why I think some of the DNS requests get "hidden" of sorts is - we see DNS requests for the initial website top open the web based application, but then the documentation claims they need to establish a connection to *.amazonaws.com to go on further (audio).
However, we don't see any DNS requests that match this FQDN (so we can't really test them individually) - but we see attempted connections to IP addresses that belong to AWS. Those connections don't work as Fortigate has no IP to the wildcard-FQDN (they work once we add the indiviual IP to the firewall policy, however, the IP can change anytime).
So we suspect that something is either not working right in terms of population the wildcard FQDN or the documentation of the phone manufacturer is not entirely correct.
Using the "internet service" for Amazon AWS does open all TCP and UDP ports and we are very reluctant to use that one (unless I am missing an option to use the internet service and limit the ports for the firewall policy using the internet service)