Thank you for reaching out.
I understand you wish to establish the connectivity in this manner.SPOC subnet -> Firewall -> Hub Exr gateway -> NVA (3rd party system) -> workload
Yes you will need to create UDR to establish this connectivity. Before I suggest the required routes in this scenario
Can you share a network diagram of your set-up? As it will help suggest if any other configuration is required apart from configuring the routes.
For a typical set-up like this the routes would be configured as described here by colleague Gita.
Thanks