I don't have experience with FortiWeb, but Here's how it may work with something like pFsense for example. This should be applicable to Fortiweb.
- Fortiweb and app service both connected to subnets within the same vnet, or peered vnets. This is your Trusted Zone. App service is connected using private endpoint and gets an IP on the subnet within the vNet.
- A Custom domain record for your users to resolve the site to the 'Public' IP of the Fortiweb. You cannot use the myapp.azurewebsites.net domain name here, that always points to your app service and is meant to be transient (MS might change the underlying IP at any time).
- Reverse Proxy rules on the FortiWeb to publish the IP address of the app service.
- The Fortinet should be able to be configurable to use the myapp.azurewebsites.net host header when proxying connections to the app service.
- Alternatively add the custom domain record to your app service as well, and have the fortiweb resolve it that way (note that you'd have two records here, your public one for your users would resolve to the fortiweb public IP, while your 'private' one for your trusted zone would be for the Fortinet to resolve the app service IP that was provided by the private endpoint)
In theory this should get you there!