Yes, this is perfectly possible.
I have a mAPLite configured for that purpose.
It helps to use the ethernet port for config but even that is not needed (though it DOES complicate things and you need to be very careful what you do in which order).
Even one step further (trick I learned from user bpwl): connect list where you define all known to you wireless networks which can be connected to.
And your smartphone hotspot could be one of them (under the assumption nowadays everyone has always his smartphone with him).
References/reading material (instructions which are for mAP/mAPLite but basically they apply to all ROS devices, with some possible optimizations for devices having multiple radios):
viewtopic.php?f=13&t=129398 (2nd post is the one I used as guideline)
viewtopic.php?t=169032 (use of connect list, I have 8 in my list which covers most of my bases)
To complete your requirements you need to setup your VPN and use one slave SSID which goes with that. So once connected to that, you're on VPN.
Use another SSID for regular access (but with the added benefit of using the MikroTik firewall to stay behind, though personally I'd always use VPN on public Wifi)
Keep in mind though not all VPN protocols are able to pass all firewalls. Nowadays I like to use Wireguard on ROS7 but I am aware it doesn't always work. SSTP or OpenVPN might be the best alternative then.