Hello @Haytham ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Yes, your partner organization can deploy an Azure VPN gateway in their Vnet to establish a VPN tunnel to their on-premises site and choosing the SKU of the VPN gateway completely depends on the partner's throughput requirement. If you prefer high availability, then deploying an active-active VPN gateway could help (In case you go with active-active VPN gateway, the SKU can't be Basic or Standard).
However, you need to consider the below points for this setup to work:
As you mentioned, the partner's Vnet is peered with your Hub Vnet, what is the Vnet peering configuration here? Do you have the gateway transit feature enabled? Is their side of Vnet peering using the remote gateway (which in this case is your ExpressRoute gateway)? If the answer to above question is Yes, then the partner will not be able to deploy a VPN gateway in their Vnet.
Each virtual network, including a peered virtual network, can have its own gateway. But, when you configure the gateway in the peered virtual network as a transit point to an on-premises network, the virtual network that is using a remote gateway can't have its own gateway. In such a case, the virtual network can have only one gateway - this gateway is either a local or remote gateway in the peered virtual network.
Please refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity
To summarize, the partner will be able to deploy a VPN gateway in their Vnet if their Vnet has a normal Vnet peering setup with your Hub Vnet (where gateway transit & remote gateway configuration is not enabled).
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.