I have heard not so great things about Forti VPNs, sorry to hear you have to work with those.

In theory, as long as the Forti VPN does not overlap with the Tailscale IP address range, the simplest solution is to just run Tailscale and openfortivpn on a single node. You can then advertise the Forti VPN subnets within Tailscale, that's effectively what my image does as well in a nutshell, except that it's parsing the WireGuard config and setting up firewall rules for convenience.

Tailscale does NAT automatically by default, so it will look like all traffic is coming from the openfortivpn client itself.