Cloud Management Gateway - general questions

1. Nearly all functionality in ConfigMgr is extended to client on the Internet when using a CMG; this is documented in the official docs at https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/overview#scenarios. In general, only functionality that requires direct connectivity is not handled by a CMG which includes Remote Control and WoL. A more complete list is at https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/supported-configurations#support-for-configuration-manager-features in the official docs.
2. The CMG has no functionality, it's simply an extension of ConfigMgr to enable management of Internet clients. Thus, you're asking for a comparison of Intune against ConfigMgr which we do not provide because our strategy is better together, i.e., use both Intune and ConfigMgr by enabling co-management.
3. This is no different than any roaming scenario. The client will detect a network change and act accordingly based on your configuration. Connecting to a VPN will flip the client to intranet mode (assuming it has connectivity to your on-prem domain and/or an on-prem MP) and it will then act according to your boundary group configuration.

So what will happen if client is not on VPN and during content download from cloud based sources it connects to VPN? (We have split tunnel VPN by the way, so traffic to/from cloud based sources would never go through VPN) Will content download from cloud based sources complete and then if some other content client needs to download it would immediately start using internal sources - assuming there is no BG defined for VPN IP range client can get with setting Prefer cloud based sources over on-premises source?

Regarding CMG functionality I know it allows management of external clients - I should have written that differently. My bad.

The client will detect this as a network change and it'll switch DPs based on your boundary groups as noted above.

assuming there is no BG defined for VPN IP range client can get with setting Prefer cloud based sources over on-premises source

Why would you not have a boundary group for your VPN IP addresses? In this case, intranet clients will fall into the default boundary group and follow whatever behavior is defined for it.

I spoke to networking team - all our clients when connected to VPN will have same private IP address (per location), their real private IP addresses are NAT out to use Fortigate private IP address. That means BG for VPN clients would contain just a few private IP addresses (not range) - US/Malta/Serbia/NLD.

What might be problematic here is the following:

I double checked, for instance, BG for Serbia location - it is AD site based and "contains" IP subnet 10.240.12.0/24 (internal clients normally get IP from DHCP in range - 10.240.12.30-254). All VPN clients connected in SRB will have same IP - 10.240.12.22 meaning they will "belong" to both BGs (this one for internal clients and new one created for VPN clients). This VPN IP of 10.240.12.22 explains why my laptop is still in same AD site while on VPN as if it would be in the office - hence while on VPN I always download content from DP referenced to in my BG.

NOTE: Just saw this - https://learn.microsoft.com/en-us/mem/configmgr/core/get-started/2020/technical-preview-2005#bkmk_vpn

I have overseen this, sorry. Hopefully it will work with Fortigate VPN.