Hi MrFlinstone-1451,
You can configure P2S in the VNET by deploying a VPN gateway and use certificate based auth and share the exe file and cert to the users who want to access the SQL remotely.
This way users from remote can securely connect to the Azure VNET. You will need to setup Private Endpoint in the same VNET and link to the SQL resource.
When that happens, all traffic to the SQL will be private connection and you can block the public access to the SQL completely.
Reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal
Private Endpoint: https://learn.microsoft.com/en-us/azure/private-link/tutorial-private-endpoint-sql-portal
Regards,
Karthik Srinivas