Question about awsx/ec2/vpc. There are 3 subnet types: public, private, isolated. If I use isolated, can I still setup the instances inside this subnet to be reachable via a bastion and custom egress/ingress rules?

Yes. isolated subnets have no access IG or NAT so no direct access. If you have something inside your VPN (bastion, lambda, LB, anything) you can set up NACLs and SGs to allow access between that thing and the isolated subnets, then control your isolated resources that way.