Here it says "You must designate at least one access point as root and one as mesh access point."
Here it says "For APX access points, there's no need to specify the mesh role. If the mesh-enabled SSID is pushed to two APXs, the one with the existing Ethernet connection to the Sophos Firewall becomes the root access point. Once the mesh-enabled SSIDs are pushed to the APXs, it’s advisable to restart them."
The first seems to be true, but there is also a glitch in Firewall WebAdmin: First the role is asked, after selecting the AP the dropdown box disappears.