ALICE does not use delegated credentials, they only use their authz token which is embedded in the URL. For ALICE you need to disable the SSS enforcement on the FST side: EOS_FST_NO_SSS_ENFORCEMENT="1"
and this allows TPC transfers between your instance and any other instance.
For other use-cases, yes the redirection endpoint can be a round-robin alias. Yes, you can install the PSS gateways on the FSTs if you want and indeed the pss.origin needs to point to the MGM node.