Is it necessary to create two-way route for transit gateway on AWS?
Each VPC / route table needs a route to the transit gateway. All routing is controlled by the route tables in AWS.
If you need shared internet egress you can have a VPC with a tgw endpoint and NAT gateway in a private subnet, routing to an internet gateway which is effectively in a public subnet. Then you can use AWS network firewall or similar to restrict egress.