1- You can use Route Tables or Route Server to direct traffic to Palo Alto, for example a route of 0.0.0.0/0 to next hop of your trusted interface IP. In advance, you would need to peer your other vnets to the vnet with the palo.
2 - I presume this means you want to move from Azure terminating VPN to terminating on the Palo? If so, yes you would need a tunnel per site. However, I wouldn't create a tunnel for each VNET. A hub spoke vnet design is much more efficient - https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli