First add the following routes to routers A1 and A2:
On router A1: /ip route add dst-address=10.3.0.0/16 gateway=[LAN address of router A2]
On router A2: /ip route add dst-address=10.1.0.0/16 gateway=[LAN address of router A1]
After this, you should be able to ping site B from router A2 and site C from router A1 and vice versa. Check this first.
Then, add the following IPSEC policies to tunnel the additional subnets:
On router A1: /ip ipsec policy add dst-address=10.1.0.0/16 sa-dst-address=[WAN address of router B] sa-src-address=0.0.0.0 src-address=10.3.0.0/16 tunnel=yes
On router A2: /ip ipsec policy add dst-address=10.3.0.0/16 sa-dst-address=[WAN address of router C] sa-src-address=0.0.0.0 src-address=10.1.0.0/16 tunnel=yes
On router B: /ip ipsec policy add dst-address=10.3.0.0/16 sa-dst-address=[WAN address of router A1] sa-src-address=0.0.0.0 src-address=10.1.0.0/16 tunnel=yes
On router C: /ip ipsec policy add dst-address=10.1.0.0/16 sa-dst-address=[WAN address of router A2] sa-src-address=0.0.0.0 src-address=10.3.0.0/16 tunnel=yes
These are exact copies of the existing policies on each device, only with different dst-address or src-address, so you can easily use the copy function with few adaptations.
Add dummy routes for router-to-router traffic:
On router A1: /ip route add dst-address=10.3.0.0/16 gateway=[LAN interface/bridge]
On router A2: /ip route add dst-address=10.1.0.0/16 gateway=[LAN interface/bridge]
On router B: /ip route add dst-address=10.3.0.0/16 gateway=[LAN interface/bridge]
On router C: /ip route add dst-address=10.1.0.0/16 gateway=[LAN interface/bridge]
This will make sure the router picks the correct source address while not leaking internal traffic to WAN if the ipsec policy is down/missing.
The same routes can be added for peering subnets (10.1.0.0/16 <=> 10.2.0.0/16, etc.)
Make sure all subnets are excluded from masquerade/NAT and firewalls accept traffic from/to these subnets.