I believe _BESClientSelect_FailoverRelay can only be a single relay, not a list, so it sounds like you have that set incorrectly.
This is the one that allows a list of failover relays to be tried in succession: _BESClientSelect_FailoverRelayList
You might want your failover list to start with a VPN relay, followed by a DMZ relay.
This setting won’t help with your primary issue, but it will allow clients that are currently talking to a DMZ relay to switch to a VPN relay when the VPN is connected, so it is a good idea for all clients using DMZ or VPN relays.
You really want both TCP & UDP over 52311 and ICMP to be allowed over the VPN. You technically don’t need ICMP to work over VPN for the failover relay settings to work, since those don’t rely on ICMP. It does seem like this might be your issue, that ICMP isn’t working to the VPN relays.