You can’t forward traffic heading to the internet unless you are forwarding a public ip address, create this rules in prerouting on each vlan interface or lan interface list, on the interface with your public address configure masquerade or src-nat (if static ip) for everything since you’re doing filtering on the vlan interface. And lookup the correct layer7 filter for those services, with the ones you have now many things will be missed and probably won’t work or you can create an address lists for facebook and youtube from their BGP ASNs and block based on ip address which will be less resource intensive.
Solved adding networks and ranges of IP’s in Address List.
For Facebook and YouTube, if I specified first some IP’s to allow the connection, then on the drop rule I specified the complete range of IP’s (In my case from 10.0.10.1 to 10.0.70.254).
Here is one of MUM presentations on the topic (however blocking of IP addresses is harder to bypass than blocking of DNS): https://youtu.be/3LmQYIQ5RoA?t=3m57s
Another good option would be using tls-hostfirewall rule property (however that might not catch all traffic - e.g. Chrome+Youtube).
Some firewalls from other vendors rely on Deep Packet Inspection similar to tls-host firewall rule property.