Thank you for your continued assistance.
I set the policy per the example you gave, but the site is still unreachable.
When I reviewed the article you quoted, I found this line:
set route 1.1.1.1/32 interface untrust gateway 10.1.1.1
I attempted to modify that for my use as
set route <hub external IP/32> interface untrust gateway <hub internal gateway IP>
but it took down my VPN tunnel.
Do I need this command in my spoke site firewall?