You write a long post - you get a long answer! 
It's a bug of some kind for sure. The quickstart was/is a "best effort" to get people going, *nix has so many variants that it's not hard to believe there's a bug here/there. It does surprise me that dpkg --print-architecture prints ARM64.
I just used these images in Oracle Cloud and had no issue with the quickstart. I hate to ask, but, you're sure? Maybe try with the image/shape I did? (I DID have to issue the iptables rules as you highlighted here)
Certainly. When I ran the quickstart, even with the IP address set in the EXTERNAL_DNS field, I still noticed my controller was incorrect. The config file located at $ZITI_HOME/$(hostname).yaml has the hostname in the edge.api.address and web.name.address fields. You need to change those to your IP address. You will need to make sure the cert presented by the controller has a SANS that matches the advertised address:
You'll also need to update the edge-router config. It's also pointing to the hostname for ctrl.endpoint. You'll want that to be the IP address. These seem like bugs that I'll ask @gberl002 to look into.
the "client" API, but always be accessible. The "management" API can absolutely be separated out. Take a look at this discourse post Making ZAC dark - #6 by TheLumberjack, I think it contains what you need. It's on my 'todo' list to document this, but we haven't gotten to it yet.
The "run-host" means, "do not intercept traffic, only 'host' it". You'd use this in a situation where you wanted to only offload from the zero trust overlay. It does not/shouldn't require sudo access as it doesn't need to make a TUN device. "Run" means, "allow traffic to offload, but ALSO intercept traffic" and requires systems to be present and to run with CAP_NET_ADMIN/sudo priv's to make the TUN device and run a couple other commands.
Up to you. Do you want the traffic to land at your "tunneler" and go back to the public IP? Probably not, I'd wager? You just need to configure the IP you want the traffic to go toward, relative from where it leaves ziti. So, I would guess you want the private IP as long as it's addressable from the tunneler that's hosting the service (via the host.v1 config).
Not arbitrary, no. But also not "really specific". I could have used 172.31.42.64/32 since that's the private IP address of my expressInstall/quickstart. I was just lazy and let Amazon use the full /16. 172.31.0.0/16 covers the 172.31.42.64 IP. At 3m25s you can see the IP reflected by the name of my router. It might be in other places in the video but that's the first time I noticed the actual IP.:
It sure is. The discourse post I mentioned earlier covers exactly that Making ZAC dark
"Maybe" is the only answer that's correct here. It all depends. Networks are fickle and sometimes it's faster to go through the 'fabric' router, sometimes it's faster to go around it. On top of that, without knowing exactly how you configure your network, this one's impossible to answer. If you want to dig in on this - would you mind making another post? this one is getting long in the tooth. If you could, make a diagram and show us what you're thinking for us to answer best. There's "lots" of scenarios. Far too many to enumerate, it's better to know where you're at, what you're doing and then we can answer better.
OpenZiti routers act as load balancers, yes. There are "terminator strategies" you can pick from. See https://openziti.github.io/ziti/services/overview.html#availability-and-scaling