my understanding of it yes you can do multiple site and yes it should support universal. Actually if we follow product use case there is no universal - universal was used for cross-vc deployment.
Since NSX-T not tied to VC any more there is no need of universal any way. so NSX Manager will distribute firewall rules based on connection to controllers (remember in NSX-T Controllers are necessary but optional as in NSX-V). If you registered to NSX manager and Controller node you will get rules and there is no need to be marked as universal since there is no connection to VC.