Hi,
I was able to do this using an app gateway (private ip) doing tls termination and host rewrite - front end had a cert issued by a trusted internal CA - so all internal systems accessing the app gateway front end were able to establish a tls session successfully, back end implicitly trusts the web apps cert due to it being issued by a public trusted root CA.
I registered the front end of my app gateway private ip to my private DNS zone (webapp.sandbox.lab).
The private endpoint automatically created the "privatelink.azurewebsites.net" private dns zone.
Thanks,
J