In order to do more specific filtering than just the matched subnets you need to have a route based vpn. The policy based vpn policy is used to create the proxy-id pairs and these only work when they have that "any" for application.
And as you already pointed out to have multiple proxy id for a route based vpn you need the traffic selectors.
Upgrading to a version of Junos with traffic selectors is your best bet.
If you really cannot upgrade, you would need to apply the security policies after the tunnel. So you could move the tunnel termination to a virtual router routing instance, then pass that traffic into another routing instance where you apply security policies to the traffic in both directions as desired. But this is considerably more complex a setup.