It seems a bite confusing. A lot of questions and not all the stuff seems to be connected (except it can be part of one architecture.
You're speaking about Hybrid Active Directory - we prefer to speak about "Hybrid Identity". In this setup your company will have an On-Prem Active Directory (ADDS) that will be synchronized (with AAD Connect tool) with the Azure Active Directory in your Microsoft Cloud Tenant. Then, you will be able to affect licences and use SaaS services for all these "hybrid" accounts - depending on what you want to do.
Then, you speak about workload in Azure. So you will have some Azure subscriptions and you will create some VM or others resources. You can do lift and shift (many tools or Azure solutions can help you to do some lift and shift). If we're speaking about Windows Server VM you will probably not have much to do - keep in mind you will have to manage the network part : maybe the new IP address in Azure will not be the same as on-premises ? Will you have an impact concerning what you're running on this server ? Also, do not forget to install the Azure Agent if needed to be sure you will be able to manage the VM you've moved. Consider looking Azure Migrate that will allow you to lift and shift in a large scale. https://learn.microsoft.com/en-us/azure/site-recovery/migrate-tutorial-on-premises-azure - It's hopefully not needed to reinstall your OS but maybe for some cases you will go with this option (depend on your expectations and what is running on your VM).
You speak about Identity management when you're in Cloud Scenario. In general, a company will create a private connection between on-prem network and network in Azure (we can use VPN S2S or dedicated ExpressRoute). Depending on that, Azure become the extension of you on-premises datacenter and network, so you will be able to connect with your traditional on-prem credentials. For this example, nothing to see with Hybrid. But yes, it's also possible to have both possibility with VM in Azure : connection from standard on-prem accounts or with Azure Active Directory accounts (just a few setups to do).
Azure VPN Gateway : Need more context.
Azure Firewall is the NVA (Network Virtual Appliance) that is proposed by Microsoft as an alternative of the classical : F5 BigIP, Citrix Netscaler, Palo Alto, etc. It's a powerful network platform but there are also some important differences : for example Azure Firewall is a "platform" that's mean you don't need to deploy virtual machine or virtual appliances. It will automatically scale on your usage.