As it stands we have a Cisco ASA configured to establish a IPsec tunnel to Azure effectively creating a hybrid network. We also have a separate device for VPN access which users connect into to get onto the network. From a local network gateway perspective could the FQDN of the user vpn be used to bypass the VPN gateway for routing to on prem? It seems like routing back out of the VPN gateway and across the external IP and back into the network would seem unnecessary considering a tracert to an on prem IP shows the next hope as that user VPN appliance. When utilizing the next hop option in network watcher it ends up going back out of the gateways subnet to the Azure VPN Gateway and to the external of the ASA which has been designated the LNG.
There may be some other considerations needed but as it stands the internal IP of that User VPN does have routes in place that would allow for forwarding.
Route propagation is enabled and Azure has written those "virtual networks" to use the next hop of the Azure VPN connection. We do utilize seamless sign on as well which connects via our Local AD creds.