as you can see. with FBF, there are no interfaces in the VR, so it cannot resolve the direct routes associated with the ge0/3 interface. You just need to set up a rib group to share interface routes into the vr- routing instance. You can use rib groups or instance-import. Instance -import is easier. There are many examples of setting up rib groups in this forum.
set routing-options rib-groups cust2-to-inet import-rib [inet.0 vr_customer2.inet.0]
set routing-options interface-routes rib-group inet cust2-to-inet
You MUST use inet.0 as one of the routing instances as indicated.
INSTANCE-IMPORT works same way (use one or the other)
set policy-options policy-statement CUST2-import from instance master
set policy-options policy-statement CUST2-import then accept
set routing-instance vr_customer2 routing-options instance-import CUST2-import
It matter that both the interfaces 0/0 and 0/2 are in the untrust zone, because you have no control over which path the traffic coming back in will take. Lets say the destination host also has connectivity to the same two ISP, the return traffic can use either of the interfaces and packet will be dropped if it is returned on the interface in another zone.
yo may also want to adjust your firewall filter to account for other traffic not belonging to cusomer 2. But if only that subnet os on ge0/3 then ok. Typically another term else-accept then accept.
BTW, you could improve on it by using two vr for both customers and making each ISP backup for the other customer. If you want.
Make sure policer is correct. got to go now.