If I understand you correctly, you want to allow access to the VDI infrastructure while someone is the "logon" role. This should be possible. The question becomes do you want to allow this through a link on the captive portal page (just no auth)? In order for the user to get there you'll need to allow access as you suggest through the firewall rules.
In the logon role; add a new poloicy that is going to allow all the appropriate ports and destinations as permit. You'll need to determine what the hosts are and all the appropriate ports. These will need to go above the captiveportal ACL so it does not intercept any http/https requests.
For example:
netdestination "vdi-hosts"
host x.x.x.x
host x.x.x.x
ip access-list session "allow-vdi-access"
user alias vdi-hosts svc-http permit
user alias vdi-hosts svc-https permit
user alias vdi-hosts <other services> permit
user-role <your logon role>
access-list "logon-control"
access-list "allow-vdi-access"
access-list "captiveportal"