Actually, your understanding is correct. IDPS feature on Azure Firewall cannot inspect inbound TLS traffic. To leverage full IDPS rule coverage for inbound HTTPS traffic, you would indeed need to front Azure Firewall with Azure Application Gateway WAF. Actually, you can think this is a best practice for security design since in the real world this task is mostly assigned to WAF devices since for inbound traffic you need to provide a service. And our purpose is to protect our firewall from a DDOS-like attack since the main purpose of the firewall is to control internal traffic.
https://learn.microsoft.com/en-us/azure/firewall/premium-features
To protect internal servers or applications hosted in Azure from malicious requests that arrive from the Internet or an external network. Application Gateway provides end-to-end encryption.
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview