In general VRF-aware services are pretty cool yes, but we are missing the possibility to have a service working in multiple VRFs (eg vrf=main,mgmt) or just being able to use "all" or "any".
What will solve your issue is some type of route-leaking between VRFs.
https://help.mikrotik.com/docs/display/ ... d%20of,N/A
The service will be attached to a specific VRF, but the routing between VRF will allow communication between those VRFs and then reach that service.
This is the best solution if you need non-blocking performance between VRF.
Another solution to that is a Virtual Tunnel interconecting VRFs (a virtual coffin hook).
Considering we are talking about Management this is the best solution!
With this, we can dedicate an ACL (Firewall Rules) to this interface and protect the box.