Rules are required for the direction of traffic flow initiated ingress Zone to egress Zone.
Packet arrives on an interface, the assigned zone of this interface becomes the ingress zone of the policy.
Route lookup occurs for the destination address the interface that the routing is sending the packet becomes the egress zone of the policy.
So you policy needs to be setup between these two zones. With a VPN traffic from the local site to the remote site has an egress zone of the tunnel interface and an ingress zone of where the packet came into the firewall.
Traffic from the remote side of the VPN has an ingress zone of the tunnel interface and an egress zone of where the traffic leaves the firewall.