If anyone is still searching for a solution, we get this to work by setting up a 2nd AAD proxy for the OOS farm. So we have an AAD proxy for SharePoint 2019 and one for OOS.
We did not extend the SP application, but rather pointed the AAD proxy to the same URL as the web app that is behind the firewall. In this way, users will go to the same URL whether or not they are logged into the VPN. We point the SP to the OOS external URL. So, the commands would look something like this for document rendering:
OOS proxy (OOS server)
$Internal=<AAD proxy url>
$External=<URL to which SP is pointed>
$cert=<Friendly name of current cert>
New-OfficeWebAppsFarm -InternalUrl $Internal -ExternalUrl $External -CertificateName $cert -EditingEnabled
SharePoint WOPI (SP app server)
New-SPWOPIBinding -ServerName $External
This works great for Windows users. However, we have had a ticket open with Microsoft for months now for Mac users. They get thrown into an infinite loop of authentication with JAMF, InTune & Conditional Access. So, if you only have Windows users, this should work for you.