Hi - thanks for the question. Based on what you've said it sounds like the control plane traffic - which is inbound from the Azure Data Centre to your APIM instance is blocked.
Usually there's two possible reasons
(a) There's an NSG which is preventing the traffic on the given port (3443)
(b) There's force tunnelling - a user defined route is pushing traffic from APIM subnet to a firewall - an exclusion is recommended so the return path for the control plane traffic is not sent via the firewall.
Both issues and mitigations are covered in the link, in your question and here
If none of that applies (the NSG is correct, and you either dont force tunnel, or you do and it's set up as recommended) then...:-
If you're APIM is vnet connected and running in internal mode (private IP) then the APIM gateway resource itself and its endpoints will only be accessible via the network (either a client on the network, or on a connecting network) and not publicly. But.... the control plane still works because a public IP is retained for this purpose.
Aside from using the apim test console in the portal , there should not be a need to interact with APIM via the Az portal from a browser/VM client with direct networking line of sight (in the test console case, the one that ships with the dev portal can be used instead)