On the FortiSwitch port connected to Juniper port, you would conifgure "Allowed VLAN's" and specify the VLAN's that you want communicated to the Juniper side. The allowed VLAN list for each port specifies the VLAN tag values for which the port can transmit or receive frames. See more: docs.fortinet.com/document/fortiswitch/6.4.6/administration-guide/146333/vlans-and-vlan-tagging#Allowed

See 1:10 to 1:50 which covers it. the 'onboarding' VLAN is where the "non-authorized" devices are placed until it matches a NAC rule. So as long as your firewall policies don't allow any access then that will achieve the end result that you are looking for

Whether it's necessary would probably depend on the security that the customer expects, and the access that the firewall policy is providing.

You can use wildcard to make it more scalable. I don't believe you can add many MAC addresses to the same rule though