Add a unique secondary CIDR range to each business unit's VPC, peer the VPCs, and use a private NAT gateway in the secondary range for routing traffic to the marketing team.

Deploy an Amazon EC2 instance as a virtual appliance in the marketing team's VPC and establish an AWS Site-to-Site VPN connection with each business unit's VPC, performing NAT where necessary.

Set up an AWS PrivateLink endpoint service for the marketing application, allowing specific AWS accounts access permissions and creating interface VPC endpoints in other accounts for private IP access.

Deploy a Network Load Balancer (NLB) in front of the marketing application within a private subnet, create an API Gateway API with Amazon API Gateway private integration to the NLB, enable IAM authorization for the API, and grant access to other business unit accounts.