Nat will reduce network performance.
Maybe it's worth setting up firewalls on clients?

You should not deploy NAT - this way you kill other possibilities, for example, access to network balls in a neighboring network will not be a trivial task.
The Windows firewall is relatively easy to steer remotely, even without AD, etc. - The netsh console command can remotely control the firewall. Naturally, it needs to be run with admin rights on a remote PC.
I hope at least the admin username / password on your computers is the same?

Here you need to dig in the direction of the domain in the office (unless, of course, it exists) and through it allow these subnets as allowed. If there is no domain, then do it on each computer.
About NAT. Imagine that every packet going into the tunnel changes its source ip address. This greatly affects performance. Personally, I did this, only to hide the routes to my internal networks on the client device, where there is no DMZ. What you are suggesting is a crutch.
In any case, I don’t know what tasks you are solving, and why SSTP will be pulled instead of the usual GRE or EoIP (since these are two microtics). Therefore, further two rules of Nata, the answer to your question.
For a router with tunnel address 172.16.30.1:
For the second one, respectively:

ip firewall nat add chain=srcnat in-interface="интерфейс sstp-туннеля2" dst-address=192.168.13.0/24 action=src-nat to-addresses="адрес микротика2"

If the ping passes with FW disabled, then you need to add an allow rule specifically for your subnets and set it higher.