Need help with Sophos configuration BGP, IGW and default route selection

Highlights of my company’s AWS architecture are as follows:

1. My company would like to filter and monitor all traffic to and from the Internet; as such wants to utilize the path through our Direct Connect via on-prem Datacenter for Internet access, not the default IGW path from AWS.
2. We are using BGP from on-prem to injected default route to Sophos over AWS tunnels, as path to the Internet.
3. We current have achieved ingress (from Internet) through on-prem path, however, egress is defaulting to IGW; hence Asymmetric Routing.
4. Need help with  limiting traffic on IGW to do just the following:
   1. Remove default route from IGW and use default injected to Sophos by BGP
   2. Establish a transit VPC with Sophos as CGW 
   3. Establish site-site VPN links between other VGWs and Sophos (CGW)
   4. Allow ports needed to establish/allow access to Sophos including 4443 and 4444)
   5. Allow BGP protocol (TCP 179)
   6. Probably more TBD to satisfy any AWS requirements
   7. Remote Access SSLVPN also need to flow through on-prem path.