It is not a product limitation, but rather how networks work in general.
As you may know, WiFi Guard identifies network devices by their MAC address, so the known MAC addresses are whitelisted whereas an unknown MAC address will trigger an alert. However MAC addresses can only be resolved within the local subnet. The ARP protocol messages used to resolve MAC addresses are not forwarded between subnets.
For this reason the IP scanner programs that you have tried would show you devices in the other subnets but not their MAC addresses. Some IP scanners may employ special techniques to get MAC addresses from some devices, but for most devices it's not possible to determine their MAC address via VPN. Since WiFi Guard can't determine their MAC addresses via VPN either, they cannot be used for identification and are not shown.
Normally this can be worked around by using some kind of agent program (or WiFi Guard) in each subnet, but since there are no dedicated servers in your subnets, I am afraid you wouldn't be able to track all devices in a centralised way.