Option B is correct because security groups are stateful; if the application security group allows inbound HTTPS from the web security group, the return traffic is automatically allowed. However, network ACLs are stateless, so the private subnet NACL must allow inbound traffic from the public subnet, which it does, but it must also allow outbound return traffic from the application servers to the web dispatchers. The outbound rule in the private NACL allows all traffic, so that is not the issue.
Actually, the problem is likely that the web dispatchers are in a public subnet with a NACL that allows inbound HTTPS from the internet, but the application servers are in a private subnet and need to send return traffic. Since NACLs are stateless, the private subnet NACL must allow inbound HTTPS from the web dispatchers, which is configured, but also outbound traffic from the application servers. The outbound rule allows all, so that's fine.
The real issue could be that the web dispatchers' security group does not allow inbound traffic from the application servers for the return traffic? But security groups are stateful, so no. Let's re-evaluate: The web dispatchers initiate connection to application servers on port 443. The application servers respond.
The web dispatchers' security group must allow outbound HTTPS to the application servers, which it does. The application servers' security group must allow inbound HTTPS from the web dispatchers, which it does. Since security groups are stateful, the return traffic is allowed.
So the issue might be with routing? But all in same VPC. Perhaps the web dispatchers are in a public subnet without a route to the private subnet? Actually, by default, VPC has local route. So routing is fine.
The most common issue is that the network ACL for the private subnet must allow inbound ephemeral ports for the response traffic. Since NACLs are stateless, the outgoing response from application servers uses ephemeral ports, and the private subnet NACL must allow outbound traffic on those ports. The outbound rule allows all, so that's fine.
But the public subnet NACL must allow inbound ephemeral ports for the response traffic coming back to the web dispatchers. The public subnet NACL allows inbound HTTPS from the internet, but not necessarily ephemeral ports from the private subnet. So the issue is that the public subnet NACL does not allow inbound traffic on ephemeral ports from the private subnet.
Option A is incorrect because security groups are fine. Option C is incorrect because security groups are stateful. Option D is incorrect because routing should work.