I opened a support case with Microsoft and they were able to give me a hint. The missing ingredient is a private link service that is not available in Portal and is still in preview. I was able to create it with this AZ command: https://learn.microsoft.com/en-us/cli/azure/network/application-gateway/private-link?msclkid=637fda6fd07f11ec9e4bab7b4233a652&view=azure-cli-latest#az-network-application-gateway-private-link-add
After that, I was able to create the private endpoint from the portal.
This still leaves a lot of open questions for me regarding the proper setup and consumption of this gateway, hoping to get some kind of documentation or end-to-end example from Microsoft.