We've been having some issues with some Microsoft FQDN's and have used FQDN hosts with the * filter though with some of them we've found with some Microsoft services they will use a local akamai or cdn in some cases and will not be able to match the *.domain pattern properly.
Tying to move some of those domains to Web Policies but the default action at the bottom of the policy allow/deny makes it inflexible and more or less requires you to match all your web traffic with a single rule which is not ideal for us as you end up with a really complex single rule that nobody wants to touch .I would much prefer to see another action be available like Bypass or Ignore to allow rules to be matched to firewall rules situated underneath this rule.
We usually group couple of rules with functions that are similar ie Conferencing,Updates,Telemetry,Productivity, 3rd Party etc
The other issue we hit with web policies when we match them with web categories that we create out of Sophos Central, we need per site override of QOS because not each site has the same bandwidth capabilities.Setting it locally via the web gui means it will get override by whatever is set in Sophos Central if it gets updated (usually QOS of none) which is really not ideal.
You are correct in that traffic (eg a TCP stream) can only match a single firewall rule and only match a single web policy. You cannot match a firewall rule, get a web policy, fall to the default action of the web policy to then go to the next firewall rule. This will not change - once a firewall rule is chosen for given traffic it cannot change.However I am curious what you are trying to do that is not working for you. It may be that if you explain your end goal, there may be a managable way of achieving it.