When an XG firewall is connected to another firewall via VPN, the XG firewall cannot route traffic to the remote protected network by default. Instead, you have to set up a special route and SNAT using the console in order for it to work and you are apparently required to specify hosts rather than whole networks when setting up the route (see https://community.sophos.com/kb/en-us/123334).
The UTM9 firewall can route traffic through the VPN tunnel by default. I can't believe this problem is a "feature" in XG. Adding extra steps to make something work less well than something that just automatically worked in UTM9 is supremely frustrating. The XG is on the protected network that is part of the VPN already. It should know how to route traffic. You'll run into this problem any time you connect a branch office back to a datacenter/head office and need to have the branch firewall connect to an authentication server on the other end of the tunnel.