Using Orbi In AP Mode

Yes, this can work.  I, personally, hesitate to recommend such a complicated configuration.

First, you have to find a WiFi router that includes VPN Client capability.  There are no Netgear routers that have this feature.

This creates two entirely separate WiFi networks (one for those special devices and one (the Orbi) for everything else.)

That means two separate WiFi routers to maintain.

If the Orbi is providing a wider area of coverage, how will this new router match that coverage?

Whatever is hard coded on that second router will be invisible to the Orbi router (hidden behind the second router NAT).

My guess is that the first solution offered is probably the most efficient:

• Choose a non WiFi router which is capable of designating that certain IP addresses are forced to use a VPN client (on that router)
• Place the Orbi in AP mode so that the primary router recognizes the MAC address of every device that asks for an IP address and is put into the correct "pool" of IPs.

The problem is that I have no idea what router is capable of this.  I guarantee no Netgear router can.  This is just a guess, but I doubt very much that any of the major consumer WiFi products will, either (eero, Google, Linksys, TP-Link......)

It appears that Ubiquiti routers have the ability to become a VPN Client:

https://support.nordvpn.com/Connectivity/Router/1047410702/EdgeRouter-and-Ubiquiti-setup-with-NordVPN.htm 

What I do not see in any of the searches is how to force certain devices to use the VPN and other not to.