The default R7 config creates an ospf process with an assigned VRF (VPN_A). it's uplink to the PE (g1.67 to R6) is also in the same VRF. as such, I don't see how you can see the ospf routes outside of the VRF (as shown in the SG output for R7).
The R8-R5 peering is different, and this is what I believe to be a traditional PE-CE setup, as the CE is not in a VRF.
I was able to get this solution working with the existing config (I had to put the backdoor link on R7 into the VRF), but the SG output for traceroute and sh ip route from R7 is, I think, incorrect.