Here's the thing, when you configure the receive connector as externally secure you are essentially treating the message as trusted and authenticated - as if the actual user logged on and sent it.
Once Exchange considers it authenticated, then it will force the proxy / alias to the default primary Reply to Address and you can't change that.
The only way to make that work for on-prem is to use an anonymous relay that is NOT externally secured.