I don't have a definitive answer for you but I think what you are asking is potentially possible via CSO - but not in a unified way.
First of all: Contrail Service Orchestrator (CSO) is the SD-WAN product where Contrail Enterprise Multicloud (CEM) is for the datacenter and cloud networking. These two products have no interaction what so ever even they are named "Contrail".
CSO is multi-tenant where you can deploy a "Provider HUB" which can serve multiple different CSO tenants. There is also a possibility to implement an "Enterprise HUB" which is tied to a specific CSO tenant.
Within a tenant you can deploy branch locations with an SRX/NFX + EX switches. The switches are only Layer2-aware so all layer3 is handled by the SRX/NFX. On the SRX/NFX you can divide the device into several different departments each put into their own respective VRF (or some departments in the same VRF - your choice). These are connected to different logical interfaces down towards the switch providing the functionality I expect you are searching for.
There should be possibilities to do 802.1x auth via templates in CSO or maybe some integration with Forescout, but I don't have any details on that part.... but if you can create the template yourself, it should be doable.
The enterprise HUB can provide connectivity towards your datacenter for the different VRF's but you have to manually combine them with the configuration in your CEM enviroment.
In regards to cloud connectivity, vSRX can still be used with CSO to provide a device in AWS/Azure/GCP with the different VRFs etc.
I hope this input at least gives you answers on some of your questions. If you need more information, please do a follow up in this thread and I will try to answer the best I can.
If you really want to know if your use case will be doable, I recommend you to reach out to your local Juniper account team.
With bigger moves, do you mean a unified solution across SD-WAN/branch, enterprise datacenter and public clouds? If this is your scope I do not expect a complete solution from Juniper spanning everything in one single solution.
I could see some tighter integrations where SD-WAN/branch is made aware of the Contrail Enterprise Multicloud overlay and underlay services for easier integration but as the products have very different focus I do not see them merge together.
You could do your own software offering binding some of the services together as all functionality in both solutions are fully exposed via APIs. But this is not simple to do and will require a lot of effort.
Regarding multitenancy I see Juniper as one of the leaders as many of the offerings from other vendors are very enterprise with the limitations it often gives.
P.S. If you find the answer useful, please mark it as a solution or a least give a kudo for others to easier find threads which can help them with similar questions 🙂