Thank you for sharing this question on this community space.
I would like to gather the next article which fits into your previous statement the one you were describing previously.... So please direct yourself down below:
TLS 1.2 is used for all connections initiated from the clients and session hosts to the Azure Virtual Desktop infrastructure components. Azure Virtual Desktop uses the same TLS 1.2 ciphers as Azure Front Door. It's important to make sure both client computers and session hosts can use these ciphers. For reverse connect transport, both client and session host connect to the Azure Virtual Desktop gateway. After establishing the TCP connection, the client or session host validates the Azure Virtual Desktop gateway's certificate. After establishing the base transport, RDP establishes a nested TLS connection between client and session host using the session host's certificates. By default, the certificate used for RDP encryption is self-generated by the OS during the deployment. If desired, customers may deploy centrally managed certificates issued by the enterprise certification authority.
Furthermore, The ER(ExpressRoute) is a dedicated link which can be either L2/L3 MPLS connection which is totally opposite as how internet works since it is shared environment in some way.
I hope you can find this useful to overcome your concern.
Looking forward to your feedback,
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.