This would be deployed separately but in close proximity to your sandboxes. You'd want to add network restrictions around sandboxes to only allow outbound requests to AV.
You'd add HTTPS_PROXY to your sandbox environment and pre-configure it to trust the AV CA.
You'd add HTTPS_PROXY to your sandbox environment and pre-configure it to trust the AV CA.