@Yankee Penky we are in the same (painful) process as you and tried to debug this a little deeper.
on the RDG server (and only there) we set Network security: Restrict NTLM: Incoming NTLM traffic back to Allow All.
additionally, on the domain controllers we added the RDG servers FQDN to Network security: Restrict NTLM: Add server exceptions in this domain
this made authentication work from the non-domain-device to the RDG (we got an MFA prompt). but the next hop, connecting from RDG to the target system, failed with the CredSSP encryption oracle remediation message.
my takeway on this is that the authentication does not switch on the RDG from NTLM to Kerberos (why would it), but the RDG keeps forward-authenticating to the target system with NTLM. so to make this scenario work, we would have to enable "incoming NTLM" also on all systems that should be reachable from the RDG. which in our case, would be all clients. which in turn makes the whole idea of NTLM blocking pointless.