Wed May 29, 2019 11:09 pm
You have posted the HQ configuration twice and the BO configuration not a single time, but that's not the most important point at the moment. The picture suggests that the IPsec tunnel only extends from the "HQ router" (which is under your administration) to the "service provider gateway VPN router". Is that true, and if so, is the latter one also under your administration?
The point is that if the actual IPsec peer of your HQ router was the router at Branch A, you could simply add one more policy before the existing one and its counterpart mirror policy at Branch A, so the result at HQ router would be
/ip ipsec policy
add dst-address=10.10.10.2/32 proposal=ISP sa-dst-address=2.2.2.2 sa-src-address=1.1.1.3 src-address=0.0.0.0/0 tunnel=yes
add dst-address=10.10.10.0/28 proposal=ISP sa-dst-address=2.2.2.2 sa-src-address=1.1.1.3 src-address=192.168.0.0/29 tunnel=yes
IPsec policies supersede the results of normal routing, so although the normal routing at Branch A machine would route packets sent by the 10.10.10.2 to any public IP out via the local WAN interface, the IPsec policy would intercept them and deliver them to the HQ via the tunnel instead, and the HQ router would do the src-nat before forwarding them to the destination via its WAN. So the responses would come to HQ's WAN IP, get "un-src-nated", be routed to whatever interface is a gateway to 10.10.10.2 in the HQ router's context, but the IPsec policy would intercept them and send them to the Branch A via the tunnel instead.
But if the actual remote end of the IPsec tunnel is not the Branch A machine itself but the "service provider gateway VPN router", this change has to be done there, not on the Branch A machine. That's why I ask who is the administrator of "service provider gateway VPN router". If you cannot affect the configuration there, but the Branch A machine is also a Mikrotik, you can set up an IPIP tunnel between Branch A machine and the HQ router and use normal routing and routing-mark at Branch A to route packets from 10.10.10.2 to 0.0.0.0/0 via the IPIP tunnel, and normal routing at the HQ router to route packets to 10.10.10.2 via the tunnel.
Last but most important, I can see no firewall rules at all in your HQ router export, and I can see that Winbox access is not restricted to any subnet list, which means the management interface of the machine is exposed to the world. That's not a good idea although you run the latest RouterOS. So from pure functional point of view, it is enough that you add chain=srcnat dst-address=10.10.10.0/28 action=accept and chain=srcnat action=src-nat to-addresses=1.1.1.3-1.1.1.4 out-interface=ether1 rules (in this exact order) to /ip firewall nat to allow access of devices in the local LAN subnets and in the Branch X LAN subnets to the internet, but from the point of view of security, I'd strongly recommend you to use also the default set of /ip firewall filter rules which you can find in the output of /system default-configuration print.