How to do VRF and Subnet NAT?

Hello I do not know to to make VRF work with multiple vlans on a vlan uplink port.

I tried for now with only 1 VLAN 192.168.215.0/24 from a Siemens NCU and it is working when using VRF ID 0 but when changing to VRF ID 1 or higher it isnt working anymore.

This is how my partial forti cfg looks like with VRF ID 0:

I created a OT-2-DNS Policy and a Clients-2-OT Policy where on first Policy a POOLNAME is created which does 1:1 nat from 192.168.215.0/24 to 10.x.1.0/24 and in policy 2 there is a VIP NAT-OT-192.168.215.0/24 linked which NATs inbound connections. This all is working fine without VRF IDs when OT machine makes outbound connection to DNS its ip is rewritten into 10.x.1.1/24 when it has 192.168.215.1/24 configured and when I make a inbound connection forti transaltes 10.x.1.1/24 to 192.168.215.1/24.

As soon as I add a VRF ID all stops working. How must i proceed here? My goal is to have multiple 192.168.215.0/24 vlans with different vrf ids and different NAT policies.

config firewall policy
    edit 3
        set name "OT-2-DNS"
        set uuid 40684b00-add1-51ef-45db-5b65d5a0b3b0
        set srcintf "OT"
        set dstintf "wan"
        set action accept
        set srcaddr "NET-192.168.215.0/24"
        set dstaddr "DNS"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "NAT-OT-192.168.215.0/24"
    next
    edit 2
        set name "Clients-2-OT"
        set uuid aaaac244-adc8-51ef-b13a-c6e91744b2b3
        set srcintf "wan"
        set dstintf "OT"
        set action accept
        set srcaddr "NET-Clients-10.x.8.0/22"
        set dstaddr "NAT-OT-192.168.215.0/24"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
config router static
    edit 11
        set gateway 10.x.x.254
        set device "wan"
    next
end
config system interface
    edit "OT"
        set vdom "root"
        set ip 192.168.215.254 255.255.255.0
        set allowaccess ping
        set device-identification enable
        set role lan
        set snmp-index 11
        set interface "a"
        set vlanid 500
    next
end

config firewall vip
    edit "NAT-OT-192.168.215.0/24"
        set uuid 01ec9064-adc9-51ef-b06f-b41994035400
        set extip 10.x.1.1-10.x.1.254
        set mappedip "192.168.215.1-192.168.215.254"
        set extintf "any"
        set nat-source-vip enable
    next
end

config firewall ippool
    edit "NAT-OT-192.168.215.0/24"
        set type one-to-one
        set startip 10.x.1.1
        set endip 10.x.1.254
    next
end