In this configuration, the Palo Alto Networks device responds to an ARP reply from two different interfaces for the same IP. For Destination NAT, only the source zone and original un-translated IP address are checked to see if the parameters match the NAT rule.
Cause
There is no check to see if the destination zone matches the rule since it will require an extra route lookup. If both zone interfaces can receive the ARP request, then both will respond with ARP reply.
Workaround
The workaround for this issue is to replace the bi-directional NAT rule with separate Source and Destination NAT rules. In the Destination NAT rule, the source zone needs to be explicitly specified.