Hi,
I don't have a definitive answer for you but I think what you are asking is potentially possible via CSO - but not in a unified way.
First of all: Contrail Service Orchestrator (CSO) is the SD-WAN product where Contrail Enterprise Multicloud (CEM) is for the datacenter and cloud networking. These two products have no interaction what so ever even they are named "Contrail".
Regarding SD-WAN/CSO:
CSO is multi-tenant where you can deploy a "Provider HUB" which can serve multiple different CSO tenants. There is also a possibility to implement an "Enterprise HUB" which is tied to a specific CSO tenant.
Within a tenant you can deploy branch locations with an SRX/NFX + EX switches. The switches are only Layer2-aware so all layer3 is handled by the SRX/NFX. On the SRX/NFX you can divide the device into several different departments each put into their own respective VRF (or some departments in the same VRF - your choice). These are connected to different logical interfaces down towards the switch providing the functionality I expect you are searching for.
There should be possibilities to do 802.1x auth via templates in CSO or maybe some integration with Forescout, but I don't have any details on that part.... but if you can create the template yourself, it should be doable.
The enterprise HUB can provide connectivity towards your datacenter for the different VRF's but you have to manually combine them with the configuration in your CEM enviroment.
In regards to cloud connectivity, vSRX can still be used with CSO to provide a device in AWS/Azure/GCP with the different VRFs etc.
I hope this input at least gives you answers on some of your questions. If you need more information, please do a follow up in this thread and I will try to answer the best I can.
If you really want to know if your use case will be doable, I recommend you to reach out to your local Juniper account team.