Hi,
Based on my research, from the management, both the methods you mentioned can be considered.
Since you have only a small user base in Account Forest,for easier management, you can consolidate this Account Forest CA into the Resource Forest .
Not familiar with the AOVPN solution, you may combine various factors and choose an appropriate method.
Following link for your refrence:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff955842(v=ws.10)?redirectedfrom=MSDN
Fan