User error, as usual.
You have same pool for VLAN and VPN. So you're saying that whole 10.97.20.0/24 is on "97 TRUSTED VLAN" interface, but it's not true, because some addresses are elsewhere. Device connected to VLAN expects all these addresses to be directly reachable, because they are in same subnet. But they are not. If you want to keep same pool, then it's either your srcnat, or you can enable proxy ARP on "97 TRUSTED VLAN" interface (arp=proxy-arp).
Btw, if this is your whole config, then you have no firewall at all and everything is wide open, that's not ideal.