Adding a private network behind hub and spoke

Question

So my org runs a hub and spoke design with NVA's in the Hub and an ExpressRoute back to our on-premises.

We extended our on premises network by having the spokes use the same IP space, lets say we use 172.16

And lets say our hub uses 192.168. it's invisible to the on-premise and spokes.

My dilemma is now I want to add a 10.0. private network into the spoke, so from an Azure perspective I would have the following

On-Premises <--ER--> Hub <--Peer--> Spoke <--???--> Private

Is there a built in service such as Load Balancer, App Gateway that would allow me to have endpoints in the Private network be exposed to the rest of my network via the Spokes IP range without having to setup another NVA?

I tried a Internal Load Balancer but it wants the VM's to be in the Spoke network not the Private.
You can't add two network interfaces from two different VNets to the same VM

The reason we're doing this is we have very limited network address space to assign to spokes however we would like them each to be able to use as much or as little as they need.

Thanks

Answer 1

@Phil Thibault

Is it possible to provide with a little more detailed network diagram of your setup? Thank you!

Answer 2

@Phil Thibault

Please let us know if you still need help with the above issue? Thank you!